18 November 2008 No Comment

i realize i’ve been rather quiet as of late - not sure why, perhaps i lost my mojo… anyways, you can all thank cdman for rousing this ogre out of slumber…

in a recent post, cdman lays out his response to randy abrams’ post on whitelisting… perhaps it was the hint at the possibility of an ad hominem attack against a fairly well known and long-standing member of the av community (randy was, for a long time, the voice of av from within the belly of the beast - aka microsoft) that piqued my interest, but that wasn’t cool so let’s move on…

cdman’s first substantive beef is the suggestion that whitelisting companies can’t do their job without anti-virus software… ignoring the fact that in practice this is actually true (whitelisting companies currently depend on anti-virus software to determine if something is safe to add to their whitelist) lets look at the hypothetical alternatives he suggests - specifically that whitelist vendors could rely on reputation or building the generic malware equivalent of marko helenius’ automatic and controled virus code execution system…

relying on reputation offloads the problem of keeping bad software off the whitelist onto the very people providing the bad software… sure people who provide bad software consistently will get a bad reputation and not be trusted, but what about people who only do it once in a blue moon? microsoft releases tons of legitimate and safe software but they have on occasion also distributed virus infected materials… you’d be hard pressed to justify not whitelisting code from microsoft if you were relying on reputation but if you did whitelist all their code you would eventually whitelist something you shouldn’t have… furthermore, relying on reputation is precisely the method that customer-generated whitelists are primarily made with, which would make a vendor-generated whitelist using the same technique rather pointless…

next is the idea of building a system to automatically execute samples and perform baseline comparisons to see if the sample compromised the system… and of course this has to be done on a scale sufficient to handle the rate at which sample files are produced (otherwise whitelist vendors wouldn’t be able to keep up, much like av vendors supposedly aren’t able to)… but have you looked at bit9’s (a whitelist vendor) figures? av companies already augment their small armies of malware analysts with automated methods of determining what’s bad, and old methods like this are almost certainly among them… if the av vendors can’t keep up with the malware then what hope do whitelist vendors have in keeping up with the goodware when it’s production rate is (necessarily) several orders of magnitude greater than that of malware? there are all kinds of capabilities peculiar to traditional av companies that whitelist vendors could try to replicate in-house, but the scale of the samples they have to deal with make it impractical for them to do anything other than to replicate the blacklisting capabilities in full in-house and that would mean they would still be using what the general population considers av - it would just be their own…

a third option cdman mentions is using technology like that developed by mandiant… whitelist vendors are unlikely develop such capabilities in-house when it’s almost certainly cheaper to buy products/services from others who’ve already developed those same capabilities, but lets hope in this case they stay away from such ethically questionable companies as mandiant… bad enough that mandiant hires people whose marketability in security is thanks in no small part to their past efforts at making the problem worse, but to then turn around and have some of those same people do essentially the same thing in the company’s name at an event like race-to-zero smacks of not just some lapse in HR’s judgment but rather of an alignment of moral compasses… perhaps i’m in the minority here, but if a whitelist vendor gets in bed with a company like mandiant i wouldn’t touch them with a 10 foot barge pole…

second to the beef about what whitelist vendors would do without av software was cdman’s beef with randy’s understanding of what actually constitutes a whitelist… i have to admit that my first impression on reading the statement that the TSA implements a whitelist was one of confusion… the most widely known (and reviled) measure the TSA implements is the no-fly list, which is fairly obviously a blacklist… i actually left a comment on randy’s original post expressing my confusion but literally as i was writing it it dawned on me that there were other measures implemented by the TSA such as the newly revised rules for flights which basically require one to be granted permission in a 2-stage process before you can fly… of course, as i write this i’m reminded of the various trusted traveler programs that schneier has written about on occasion - those are also whitelists…

despite all the disagreement, though, in the end cdman and randy are actually in agreement about the role of whitelisting - it’s simply another layer… both think it’s got it’s strengths and it’s weaknesses, areas where it’s more applicable than others, etc.. however, i think randy has once again distilled a complicated topic to a simple analogy when he compares the folks who say whitelists are the end of av with airbags calling seatbelts obsolete… what a clever way to say they’re full of hot air…