Application Whitelisting

So to build an application firewall you would have to go to the heart of applications and this would be the "process".
Every running process has a PID.
So you would need a whitelist of allowed processes and somehow auto sigHUP any not on the list.
 
So you would need a whitelist of allowed processes and somehow auto sigHUP any not on the list.
No, it should prevent the process from executing in the first place. That means diverting execve(2) and any other call that's able to start processes. But it's not going to be easy. What if applicationX is allowed and applicationY isn't, what's stopping me from simply renaming Y to X?
 
There's something similar on Windows that i'm using on my windows client computers. It's called AppLocker. Before run the application AppLock service check the hash of the application and the application certificate and if it match to the allowed list then the user can run it otherwise it's blocked so even if you rename the application from Y to X it will still have the same hash. If you modify the content of the binary for example add some garbage to the end then you will brake the application certificate and again you will be not able to start it. It's hard to monitor all different versions of the specific software that's why using only application certificate restriction is enough for example you can tell only applications that have valid M$ certificate can be started.
 
Yeah, hashes would definitely prevent the rename trick from working. But this poses new problems, you have to manage those hashes somehow. With fixed binaries this is fairly easy, the same binary runs on all computers. But with open source even a small change in compiler options can result in a different hash. So you would need to fix them during ports building and add those to the package. But that means I could build a rogue package that changes the hashes. Signing might also be a solution but that also has problems if you build from ports.

The idea isn't new but it's going to be difficult to implement this for open source systems.
 
Back
Top