January 8, 2013

Application whitelist - the good, bad and evil

We know that...

The common way to protect operating systems from malicious attacks is by installing endpoint protection system to prevent malwares, zero-day attacks and all the cool stuff we know.
However, there is additional concept of white listing all operating system's files and not allowing any other applications to run, e.g. Bit9 Parity product. 

The good

It can prevent from unauthorized applications to execute.

The bad

If the operating system is already infected, the malicious activity will continue to operate.

The evil

- If the protection is based on MD5 hash, it can be bypassed using MD5 collision attack.
- Sometimes runtime environments might be used for malicious software execution, e.g. if Java Runtime Environment (JRE) is installed on the operating system, then malicious java code can run (currently still work on Bit9 Parity).