If you could create your own security program what would it be?

If you could create your own security program what would it consist of? Be realistic.

And by realistic I mean don't say "It would have a blacklist of every malicious file ever" instead you would explain how it gets its blacklist.

Explain it in as much detail as possible.

 

i will focus on Rootkit and protection for Bios and firmware
always deny anywrite to firmware
antirootkit Real time protection
and On demand scanner that will Protect both x64 and x86

and uses various technique and engine in scanning for rootkit
also it will have a cloud based Rootkit signature scanning
for quickly submitting suspicious rootkits and detecting new ones

also it contain a Firmware scanner only that will scan firmware for infection

 

An Emergency/Recovery function (something like Reboot and Press R or E)
Loaded before the main system lunches, a Console could allow users to:

(a) Safely Extract their Personal Files (e.g. Documents, Images, Music, Video etc.)
and Save them in external Storage Devices (e.g. USB, DVD ext. HD)

(b) Restore (Default Options) for All System Files so that the system successfully Boots
even if it couldn't.

 

Ultra customization HIPS for beginners or experts.

 

Mine would be a HIPS style approach. Nothing fancy, just simple monitoring and logging. Of course some abilities would help to test, like:

1. options that define what to watch for (actions, directories (to monitor execution in or to monitor read/writes in), registry (similar to directories), executable names, etc)
2. option to monitor for a time, then a simple black/white list
3. option to "engage" a lock down
4. option to "engage" free executing anything
5. option to "engage" pop-up mode for everything (for fine tuning/ testing)

It would also include a network portion.

1. option to allow/deny outbound comms per application
2. option to simply log activities for testing purposes
3. option to show more granular activities, like dns hits, http addresses, etc

In short, it would be what most of us have tried in way of HIPS, but more for logging than to actually control things. With a vast array of tools at our disposal, I really feel there are plenty of fine programs available, but no really great tools to explore what is happening except for those security tools themselves. I use Outpost firewall for testing network comms, but don't run it all the time, only when I want to know what a certain application is doing.

Sul.

 

Just remember to keep track of new HIPS systems. Otherwise, others may profit from something you idealized.

 

It would come with direct-to-credit-card punishment for users making transgressions. For example, 200 dollars for saving a file to desktop. I have this arrangement with my parents and it works beautifully. They get rewarded for doing things correctly and punished for not. Best education ever.
Mrk

 

How have your parents not killed you? Legally nobody could make a program like that (unless the government did), you'd get sued and/or jailed so fast your head would spin like a top.

 

200 dollars for saving a file to the desktop? That's extortion!

With a son like you, they don't need anyone to rob them. Imagine 200 dollars a month. That equals 2400 dollars. Make it weekly...

I wish I could do something like that!! LOL

 

Ehh Would be
a) easy way to switch on deny elevation of unsigned programs
b) easy way to add mandatory Medium Integrity levels to interfacing apps to internet facing aps and vulnarable plug-ins (java, pdf, flash)
c) easy way to enable the 1806 deny execute / deny drive by download trick
d) easy way to remove change rights of home users of the autorun entries located in HKCU
e) easy way to remove execute option of folders

Above is all build into windows, switching those locks on and only removing them when required has been the basis of Safe-Admin for two years now (with low rights sandboxes of IE9 and Chrome).

Waiting for Sully to complete it

 

A simple program to close open ports, like the old Windows Worms Doors Cleaner.

 

Sandboxie, with the ability to scan new files through an extensive cloud database before being moved out of the box.

I'd use that, and the project Mr. PC's working on... and feel pretty darn good about things.

 

I don't think I would bother creating one. I already have one, my brain. It's worked well me over the years.

 

Something like Sanboxie,Appguard and processguard all in one with automated hitman pro like scan when recovering from the sandbox to the OS.

 

I wouldn't build a security app per se. I'm playing with an idea that would separate the core operating system from the installed apps and the users data. The core operating system would be read only, most likely taking the form of a live CD. The security system, user apps, and stored data will be on encrypted partitions that will be completely inaccessible without the live CD. Plans include integrity checking of the live CD before it can unlock the encrypted partitions, a memory wipe at shutdown and (if possible) on-demand, hardware changes that will wipe the drives if the case is opened, plus a few other ideas that I'll keep to myself.

This isn't something that I need, just something I'm enjoying working on when I feel up to it.

 

You just uncovered a project I have been trying to build!

The entire hard drive is encrypted:
User partitions encrypted with a static key and password
OS partition encrypted with a random key every boot and is "reset" every boot
Swap encrypted with random key.

The OS partition is reinstalled and ciphered with a random key on boot. I did this in a way it takes the least amount of time to boot. (AKA. small linux kernel)

The OS is right protected and all programs/files exist on a user partition. (This requires customizing the kernel).

Boot from a CD/Flash drive - this runs an integrity check on the Drive header (which would be pseudo-random noise) if the SHA256 bit hashes match proceed - Check flash drive/CD integrity if these match proceed to re-image the OS partition.


On shutdown wipe RAM (similar to how TAILS Live CD does), by calling a kexec to launch another kernel. This prevents Cold boot attacks.

On demand - Just have a hot key call kexec to do the same thing as above.

The first major downside is any application that ties into the kernel won't work without some kind of emulation. The kernel is read only.

Making a read-only kernel isn't hard but making it work with user installable applications is hard.

---------

I would design what I said above and then pre-install popular apps and not allow anything else to be installed. Removing the user from the equation.

 

Lol. Or you uncovered mine.
There's quite a few differences between your project and mine.

That's my biggest gripe regarding Live CDs, can't add or modify anything. I plan on making it possible for the user to add additional applications. They'll probably have to be portables but that still leaves a good selection. I don't want to have to rebuild the whole thing every time a major vulnerability turns up in an application (like the recent one in Tor). It's security setup won't be too much different in principle than what I'm using now (default-deny, admin modifiable whitelist) except that it will be tighter. At present, trying to assemble this into a distributable form isn't in the plans, partly because I doubt there'd be any demand for it, and partly because I have no idea how to do it and make it work on more than one type of hardware.

Slightly different approach, very similar results. Without knowing the details, the main differences I see is that I'll be using a CD exclusively and eliminate any possibility of an altered boot device being used. Whether it ever gets completed or not, developing it is definitely fun and quite the learning experience.

 

LOL true enough xD

I think two versions would be good:

1) with default deny so only installed apps can be run.

2) with installable apps.

The first is great for corporate offices where they don't want users to install anything.

The second is great for users.

I prefer having it on disk that way you don't need to have the CD in all the time. The down side to having a CD all the time is that you can't easily use another CD if needed.

I have a kernel that's read -only and can't find any way to get around it. Your way may be more bullet proof but I think for convenience my way works in that regard.

If we finish we should do a comparison in a thread

 

And when will we be able to buy it

 

I don't want to get into toooo many details =p but for me it would basically segregate the system into different levels of trust similar to the integrity system but instead of by path it would be by heuristics-score, which would be based on very simple and specific signatures.