Internet Security Moving Toward 'White List'

ehud42 writes "According to Symantec, 'Internet security is headed toward a major reversal in philosophy, where a 'white list' which allows only benevolent programs to run on a computer will replace the current 'black list' system' as described in an article on the CBC's site. The piece mentions some issues with fairness to whose program is 'safe' including a comment that judges need to be impartial to open source programs which can change quite rapidly. Would this work? The effort to maintain black lists is becoming so daunting that white lists may be an effective solution."

Follow the money

[mdm42]

Sounds to me more like a scheme to squeeze money out of software producers: "Give us teh money if ya wants yer program whilelisted."

Re:Follow the money

[CRCulver]

Microsoft Hotmail has already extorted people in such a manner: "We know you are not a spammer, but give us a thousand dollars to unblock your e-mail."

Re:Follow the money

[vettemph]

I think it is worse than that. Microsoft needs to stop FOSS from running on windows. Anyone who has used Firefox, OpenOffice, Gimp and many other applications may realize that no one needs windows anymore. If you don't need windows, you don't need AV software. If microsoft convinces AV providers to go "white list" on everything, Microsoft can disable/hobble the FOSS/Linux enabler and the AV firms get to live. They are scratching each others back as usual. Microsoft of course needs to stay in the background on this in order to stay out of the monopoly spot light. The leaches are colluding. Now that the whole SCO thing is about to implode, Microsoft is putting the next road block in place.

Not going to happen

[MadMidnightBomber]

Can someone send me a list of all IPv4 hosts which are not malicious? k thanx bye.

PS. please can you also send me an update whenever a new machine is compromised?

What about Javascript?

[Beryllium+Sphere(tm)]

A lot of the work my computer does for me happens via Google's Javascript. Will I have to whitelist it all over again every time the gmail implementation changes? If it's whitelisted by domain, then you still have to protect against cross-site scripting attacks somehow (all hail NoScript!)

The whole idea of a program being a quasi-static executable installed locally is starting to seem quaint.

Re:What about Javascript?

[darthflo]

protect against cross-site scripting attacks

Your browser takes care of securing you against XSS, so you'd make sure it's not an insecure software and use reliable instead. HTTPS would protect against phishing and "real" man-in-the-middle attacks and the mentioned whitelist would make sure nobody messes with yer browser. Problem solved :)

Is it me

[damburger]

Or is this going to really screw small-scale windows developers?

Seems to me to be a blatant attempt by the big boys to lock users into their software (or software from companies they have an arrangement with. Since the majority of users probably won't know how to disable this 'feature', they will have less choice, and therefore higher costs.

Re:Is it me

[beakerMeep]

maybe, but coming from symantec this is just marketing tripe for their own services or future services. As an approach to security this already takes place. Think of firefox or a firewall asking you "are you sure you would like to run this program?"

Though it does seem like they are position themselves to be the gatekeepers of all software, good or bad. Want to run a program? Don't ask the user, ask Symantec. People wont stand for that though. There is a certain level of control over a computer most users are willing to give up in certain circumstances to the OS or an outside party or the like, but this is total control. Even novice users would probably find some piece of software they wanted to run that wasn't in the system and get annoyed at symantec for breaking their computer while more technical users would likely never want to be early adopters of something like this.

not only that, but I wonder.... wouldn't the list of "good" software be unimaginably larger than the list of malicious trojans and viruses?

Think about that number for a second. The only way they would ever look good would be if every single one of the users only ever ran software on the list. So for each user that uses dozens of applications, if even just one of those dozens isn't on the list, they are going to blame symantec.

sadly i don't think this will stop them from trying to pull this off anyways and at least getting a small userbase of complete novices and maybe corporate IT depts that want to lock down the drones.

Unlikely to work

[Dibblah]

Why? Because AV vendors want your money.

With a whitelist, the user clicks 'Accept' for everything he runs. Then he's protected until he installs something else.

Blacklists are great since they require yearly subscriptions.

The flip side?

[A+Life+in+Hell]

isn't the flip side of this that now you're only allowed to run approved programs on your computer? Only IE is approved for web browsing, only MSN Live is approved for instant messaging. I know that I, for one, welcome our corporate overlords.

White lists have been proposed since the beginning of time - from web filtering to spam provention, and now to malware provention - and they all suffer from exactly the same problem, which is the fact that humans are not all identical clones of each other, and neither consume information in the same way, nor communicate with others in the same way.

what about the small developer?

[rucs_hack]

Take me for example. My open source software has a tiny number of users, being very specialised, and I'm not alone in having this class of software. We can't all be Apache developers. How will people like me get their program approved? Is it going to cost money? That's what I want to know.

I'd be interested in knowing how they deal with the fast release cycle of open source software (excluding mine, oh for a 48 hour day...).

I'm pretty keen on the whitelist idea though. If nothing else it'll make malware more inventive, they'll start imitating the fingerprints of validated software.

Shouldn't it have been this way from the start?

[ukatoton]

This is not a new idea, and many have talked about it before

Really, black lists were a bad idea from the start. Usually, the programs people want to run on a computer will remain fairly static, with perhaps a few changes when they update or find something online that looks interesting.

I'm sure they're must be some security software that uses whitlists already. Does anyone know of any free ones?

Re:Shouldn't it have been this way from the start?

[1u3hr]

I'm sure they're must be some security software that uses whitlists already. Does anyone know of any free ones?

Many firewalls use the whitelist principle. Eg, Zonealarm. When you install it, nothing is approved. As any program tries to access hte network, you get a popup asking you to approve one-time-only, or to put the program on the trusted list. Seems to work quite well, 5 years, and none of the PCs I or my family use have had any security issues.

But it does require some judgement. The stereotypical Joe User will just approve anything, making the alerts moot. (My daughter has a non-admin account and can't do that.)

High time too

[jimicus]

The Internet in general terms started moving in this direction years ago when people started to configure their firewalls to block everything and allow only what you need through. Previously it was reasonably common practise not to have a firewall at all - or if you did, all it did was block against things which were known to be malicious.

It is a lot of work to maintain any whitelist of any significant size. But the reason you do it is because it's a lot more work to maintain any blacklist of any significant size, and even more work still to clear up the mess after something slips the net.

I thnk residential ISPs will be the first - I'd be surprised if it was even possible to connect outside your own ISPs network. Email through their SMTP server, web access through their proxy, sucks if you want any other service your ISP doesn't provide. Some of the more expensive ISPs may set up some sort of "sign a disclaimer and we'll let you do anything, but we reserve the right to pull the plug if we see so much as a single malicious packet" system.

Nested Rings of Decreasing Trust

[presidenteloco]

I would like to see an OS that maintains
several rings (concentric circles) into which programs can qualify
through increasingly rigourous standards and testing as they
get closer to the central core ring of software.

So essentially this OS would have a core ring of whitelisted and essential
programs. Just outside this would be a 2nd ring of whitelisted but
optional programs.

Then a ring of "grey listed" (reputationally vouched for, for both security
and usefulness and quality)

Followed by a "wild west" outer ring.

The OS would be designed so that programs in a more outer (less trusted,
and less essential) ring, could not have any access to the memory or disk
areas of more inner programs, and could only ever use the services of inner
programs through narrow public interfaces supervised by the OS.

Re:Works for me!

[moranar]

You can disable those in your browser, you know? You don't even have to install Flash.

Or is this a *WOOSH* moment?

The first layer of defense is a white-list

[A1kmm]

I think people should look at the big picture before taking this too seriously as a security measure: Programs only run on a system if they are either started by the end-user, or started by some other code on the system which has explicitly allowed that program run. Put another way, the current first line of defense is a 'white-list' like approach where processes only run when they are allowed to run.

The problem is that there are lots of people / large software monopolists in the world who don't know how to code well, and this creates security flaws which cause this authorised code to do things on behalf of other code, including possibly executing arbitrary.

This code is then theoretically built on top of a kernel which attempts to restrict what the code can do even if it is executed (of course, often there are flaws here too, and often the exploited code is run with more privileges than it should have, so the entire system can be compromised).

Virus scanners and other security software of this kind are supposed to provide an extra, reactive layer of defense on top of the existing proactive measure for anything which slips through the cracks. Suggesting that they be turned into another white-list is therefore not a logical suggestion, and implies that they are not being entirely honest:
    * They might just want to create hype to utilise unsuspecting journalists to sell more of their products for them.
    * Perhaps this is part of another Digital Restrictions Management style plot to take the decisions of what runs on computers from computer owners and give it to some central pseudo-authority so they can (mis)use the power for their own purposes.

Not just whitelist, but need-to-use

[davidwr]

It won't just be "you're on the list, welcome to the party" but access to each resource will be given only if that particular access is whitelisted.

You already see this in some security programs, where program A is white-listed for ports 80 and 443, program B is listed for ports 20 and 21, etc. etc. etc.

Eventually, this will be locked down even more. Program A may be whitelisted for port 80, but only for the purposes of self-updating or reporting bugs to its manufacturer, and only to a short list of domain-names or IP addresses.

Within a web browser, not only will add-ons like flash and Java have their own restrictions, each add-on will have its own restriction. Java implements a version this already, allowing applets: it's supposed to let talk to home base but not much more.

I also see the rise of ordinary applications running in a full or lightweight VM, with applications in different VMs talking to each other over a virtual network rather than through shared memory or shared files. Rogue or compromised applications in a VM will be limited to what they can do, much like a chroot'd or BSD-jailed application, only more so.

Re:What happened to good OS design?

[Mike89]

I remember reading on Slashdot in the past that when Anti-Vir was first around (I think the old DOS Program Norton Navigator was refererenced), we started with a White List. The same White List idea outlined here. Then for whatever stupid reason we moved to a blacklist. There's only a finite number of good programs, whereas bad ones spring up every 5 minutes.

Re:What happened to good OS design?

[chocobot]

Check out Usable Interaction Design
Also relevant: Capability security.
E Language
Capability Security

Re:Agreed... NoScript is outstanding.

[walt-sjc]

Maybe a "NoScript Plus", like adblock plus, where a few trusted individuals (or a reputation based system) can be used to maintain an "auto-whitelist" for noscript. Users could then choose the level of "auto" whitelisting they wish to use... None (which is like it is now), Trusted Major Commercial (allowing google, yahoo, etc.), etc. I personally would choose None, but I can see that non-technical users would opt for someone else to maintain the a list (that they could still override locally.)

Re:What happened to good OS design?

[angus_rg]

OSes where never designed well. Viruses were not profitable like they are now, so people didn't look as much. There also was less people using computers/looking for vulnerabilities, and all were doing it by debugging source code or dreaming up ways to break RFCs rather then using automated fuzzing techniques. There was also less need for reams of code that was written faster then it could be QA'd, due to less people using the internet.

Look at the Morris worm in 88. There was no code exploit, or coding mistake. It took advantage of an unauthenticated backdoor to sendmail, which was running as root. This would doubtfully fly today anywhere. Does that mean coders then or now were any better? Nope.

No matter what industry you are in, IT, Car Sales, home improvement, etc., people make more money getting the job done as quick as possible with ease of support, rather then doing it right the first time. This is the American dream: making as much money as you can and let someone else clean up the mess. You just hear about problems more now that the web has made news more accessible, and the fact that a hacker can write a virus that harvests emails out of addressbooks to sell/send spam mail for advertising revenue and cover my tracks well enough not to get caught. Once again, the American dream, make money while someone else cleans up your mess.

Re:What happened to good OS design?

[slashname3]

The problem with implementing a white list approach is that this ultimately is going to be a real pain to maintain. Not only that but it is going to require (as the article alludes to) cooperation between a lot of companies to get it implemented. Based on the article they are going to have to setup an authority that will blessed all the good programs.

I wonder just how much it is going to cost you to get your program blessed? And how long will it take?

From what I can tell they want a white list of approved programs that will be allowed to run on your system. Unless they go the extra step and sign each executable/script by a an approved signing authority anyone will be able to substitute their own code for one of the approved programs. Game over.

Then there is the whole issue of how do you handle the process of upgrades/updates and patches? All of those would have to be approved and signed as well.

While a reasonable idea on the surface there are many aspects of widely deploying such a scheme that make it impractical. The worst case is that people would manage to get just about everything approved by simply submitting it to a web site. Which defeats the purpose.

If you make it a local user configuration thing then users would simply do what they do now, click on through or approve any little application that asks to be approved. They don't know what they are letting on to their systems now. And we are back where we started.