May 23, 2004

Process Rights Management: Why Whitelists will always trump Blacklists

First off, I apologize for the lack of posts lately. I have been quite swamped rewriting parts of my kernel code and porting some of the backend to Longhorn. Everything seems to be working well, hold that to a phantom bug relating to laptops with the suspend feature, but it is keeping my hands busy in the process.

Anyways, I thought I would give an update on some of the research I am doing, mostly to bring some of my friends up to speed on why I have been hunting for different hardware for different platforms, and stackable multiport KVMs to keep my desktop clean.

I have been spending a lot of time recently working on understanding how my intrusion prevention system for Windows could be improved. I have taken some of the profiling and learning algorithms and played with them in an effort to really understand how to trace the behaviour of applications. Now its time to explain why.

Over the last two years I have been quite perturbed at the the turn around time from patch to exploit. What used to take months (in many cases years) for a response, we are now seeing lazy attackers simply waiting for a patch to come out, disassemble that to find what has changed and then go to town making the next attack pattern. In some cases, we are talking less than 3 days.... way to short of a time period for most organizations with complex patch management roll out strategies.

Patching is only effective when its done, and done so on a timely basis. There are some great companies working on better automatic patching solutions, but they just don't always work in the processes some IT infrastructures have. It is difficult to roll out when it is frowned upon to touch stable servers with untested patches in environments where criticial business resources rely on said servers to stay up.

Tie this issue together with the fact that other tools like anti-virus are only as good as their signature databases, we begin to see that new blended threats are propogating with more complex hydra like hostility, and they need to be repelled differently.

This isn't new. I have discussed the use of infosec principles like least privilege to be used to confine the damage that may be caused by exploited processes, and it was the very principle used when I designed my intrusion prevention system. However, about a year ago when I presented to a group about behaviour based anomaly detection based on whitelists I never expected Microsoft to pick up on it, and announce similar findings to be investigated and installed into future operating systems like Longhorn.

Well, Longhorn is to far off. And people need solutions now. More importantly, users need a concise strategy that is focused on infosec principles that will work now and in the future, across all devices, on different operating systems.

Hence my dungeon work. I have been working on better ways to trace code execution paths and expose just what an application really needs by way of access rights. From files and registry to network access, we need a cleaner way to map the "whitelist" of what applications, services and operating systems do. By properly understanding what an application is supposed to do, we do not have to fear what its NOT supposed to do. When in violates a given behaviour, it can be considered suspect, possibly even hostile, and can thus be blocked.

In other words, the next time an exploited process decides to download a backdoor, we can immediately block this activity from occuring, ensuring the integrity of the system by denying the malicious code from even executing, and take further action to terminate, isolate or investigate the breach.

In this way, we can increase the time for administrators to effectively deploy their patches to vulnerable software and operating systems. It turns the timeline back in favour of the defender, giving us more time to fix buggy software and allowing security companies time to profile new attack vectors and build signature patterns for their IDS, anti-virus engines etc.

Where next? Well, the idea of process rights management comes into play. We can define what an application is allowed to do at runtime, and force those constraints on executing code in any environment. As I continue to work on this it will provide some interesting hooks to operating systems like XP, WS2K3 and Longhorn... exciting stuff for you to see! And now you realize why I haven't had much time to blog much :)

Now please, stop emailing me asking if I am dead. I'm not. I've never felt more alive.

Posted by SilverStr at May 23, 2004 11:34 AM | TrackBack
Comments

at the host level, this is the sort of thing that stephanie forrest has been doing for ages now, evaluating syscalls and execution paths. at the network level, application firewalls have been doing this for some time, as well. the XP SP2 firewall is yet another example of this. on a larger scale, this is very much what arbor and a few others have been doing for a few years now. it is effective, provided you have a suitable training period that observes all acceptable behavior (or you can edit it in) and that you can readily remove unwanted behavior. you will have a wealth of knowledge to draw upon for related materials, tools, and insight.

as for commercial offerings, one of the latest forays into this markey is sana security.

Posted by: jose at May 23, 2004 02:13 PM

Sounds very cool! Is this similar to what systrace (http://www.citi.umich.edu/u/provos/systrace/) can provide for Linux/*BSD systems?

Posted by: Staffan Malmgren at May 24, 2004 03:38 AM

Good pointers Jose. Now take that to the next level. WHY should we have to train it? It is possible to look inside a process and expose all the code paths programatically, allowing you to create a whitelist WITHOUT having to teach it the behaviours of the process of a period of time.

Lots of different research in different areas. All good stuff. Now if people would just start using it. :)

Posted by: SilverStr at May 24, 2004 07:39 AM

Staffan,

It has some traits characteristic of systrace, but has a broader scope in how it actually tracks the code path execution sets.

Think of melding systrace with the aspects of application jailing... and you just about get what I am looking at.

Posted by: SilverStr at May 24, 2004 07:41 AM

actually, i don't think you want to train it based on static analysis. for starters, you're never certain that any of the codepaths you identified are reasonable from a security standpoint. for example, just because you *can* open a file doesn't mean you *should be able to*. from a static analysis standpoint, you can't know for certain what the consequences of that action are. never mind the complexity of the problem. dynamic analysis makes this comparitively trivial.

if i'm not mistaken, i think this is a conclusion of a lot of this type of research. edited learning based training periods are, to the best of my knowledge, the most accepted format of behavioral based anomaly detection systems.

some other things to consider: stateless vs stateful codepaths, syscall table editing (a'la trusted solaris), and syscall proxying and you may be able to go beyond the current research and product space. on UNIX, this is relatively easy to do. perhaps it's because of my relative skills with Windows, but this seems trickier on an NT-based kernel family.

Posted by: jose at May 24, 2004 08:14 AM