Will a whitelist save personal computing?

I've previously written about how traditional anti-virus programs are finally outliving their usefulness as a preventative measure. Server-side polymorphic malware programs and malicious programs using custom, unscannable packers are making static anti-virus scanners less and less accurate. Using all sorts of tricks, malware writers are making millions of seemingly "unique" (although they aren't) programs a year

Current Job Listings

I've previously written about how traditional anti-virus programs are finally outliving their usefulness as a preventative measure. Server-side polymorphic malware programs and malicious programs using custom, unscannable packers are making static anti-virus scanners less and less accurate. Using all sorts of tricks, malware writers are making millions of seemingly "unique" (although they aren't) programs a year. I'm not sure we have millions of legitimate program executables in a given year.

When unique malicious programs outnumber unique legitimate programs, it makes sense to have a whitelisting program. A whitelist is a collection of legitimate approved values (for example, DNS entries, program names, e-mail domains, and so on) that are allowed to interact with your computer or network. A client-side, whitelisting program would intercept all new downloads and allow only previously approved content to execute or load.

A large percentage of today's computer attacks occur by socially engineering the end-user into running programs or content they shouldn't. I mean, truthfully, it's really a lot to ask of the average end-user for them to differentiate between an official Microsoft patch sent to them in e-mail (hint: they are never sent in e-mail by Microsoft) or a legitimate video codec needed to see the latest YouTube video (hint: YouTube videos never need additional codecs to view). Our end-users shouldn't need to be computer security experts just to run their PCs.

In my thinking, the necessary whitelisting program would be heavily integrated with the underlying OS, work across multiple platforms, and intercept downloads and content execution of any type. This would include intercepting browser downloads, instant messaging transfers, p-to-p exchanges, installable programs, and locally loaded content (such as USB flash drives, CD-ROMs, and more). The program would have to intercept executable programs at the very least, but the best-of-breed program would also intercept content that could be used maliciously (JavaScript, ASP, Flash files, PDFs) and potentially cover Web pages and Web sites.

Each downloaded program or content would be hashed using a popularly accepted cryptographic hash algorithm, such as SHA-2, and compared to a stored and approved hash results. All programs/content would have to be submitted and approved beforehand in order to get passed by the whitelisting program. Programs/content without an approved hash result would be messaged as unapproved and treated accordingly.

Legitimate programs would be submitted for approval to an expert community of volunteers to analyze. The experts would analyze the programs for maliciousness, privacy, and potentially unwanted behavior. Each of these categories could be ranked if a binary decision wasn't enough.

The program's name and its hash result would be stored in a fault-tolerant, distributed database, resistant to massive DDoS attacks. The client-side whitelisting program would send a single packet query to the database submitting the locally collected hash result. The database would respond to the client with a single packet indicating the program's status (legitimate and approved, or some sort of category ranking). The end-user could then make an informed decision about a particular program/content.

Program analysis would be done by a community of computer security experts, who would then paste the technical decision into the database, along with the program's name and hash result. Only preapproved experts could update the database. The most popular client queries would be cached, of course.

Trusted vendors such as Microsoft, Sun, Apple, Linux, Red Hat, and OpenBSD could be given special arrangements to update the database as well. That way, Microsoft and the other vendors could submit their legitimate programs, patches, and updates to the distributed database before they release downloads to the general public.

Each client-side program would include a tamperproof local database of the most popular programs (Outlook, Office, Flash, Acrobat, Firefox) to their particular platform, so remote database queries would not be needed. The local database would be hashed as well so that any unauthorized local tampering would result in a warning message. Of course, if a malicious program was successful in getting active in memory before being analyzed by the program, it could modify the client-side program in such a way as to escape detection.

Analyzing and approving custom content is a special problem. I mean, how do you get every content developer to submit their content for analysis? How likely is it that Sarah Silverman will submit her YouTube video paying loving ode to Matt Damon? Not very, and that's why social engineering will always be a problem. If the content is juicy enough, or looks legitimate enough, some certain percentage of users will ignore the client-side program's warning and just run it.

At least the whitelisting program gives users who do care a chance to make an intelligent, informed decision. A client-side, whitelisting program doesn't stop all the other sorts of computer attacks, such as password guessing/cracking, buffer overflows, misconfigurations, cross-site scripting, and so on, but it's a solid beginning and would stop a majority of today's attacks.

Many vendors offer something close, yet none provide a solution this inclusive. I'm still waiting for the white knight whitelister.

$500 for your thoughts? Take our 2019 Security Priorities survey today!