I just got back from the Digital Bond SCADA Security Scientific Symposium (S4) where I presented on whitelisting.

Whitelisting is the “hot new” host intrusion prevention system (HIPS) technology that some tout as the end of the anti-virus (AV) era. Anti-virus of course works by producing a “black list” of virus signatures. If data or a file matches a signature, the AV technology takes some sort of action to protect your system – anything from a popup alert to blocking execution and quarantining or removing the offending file. Whitelisting application control takes the opposite approach – application control technology has a “white list” of signatures of allowed executables. Any time you try to run a program or OCX or DLL, that executable’s signature is recalculated and compared to what the approved signature for that program is. Unapproved software or software that’s been tampered with is triggers an action – anything from a popup alert to blocking execution.

The big buzz about application control is that it catches zero-day attacks. That is – it allows only approved software to run, and so any new attack software or virus won’t run because of course it is not on the approved list. So application signing/control has value, but it is not a silver bullet. Application control detects attacks that AV and other HIPS technologies cannot detect, but there are attacks like buffer overflows, SQL injection and cross-site scripting that tools like AV do detect and are (so far) not addressed by application control.

But is it safe? When AV technology was first applied to process control systems (PCS), lots of stuff broke. Stuff broke to the extent that AV was not safe to deploy on the world’s control systems of the day. Today, many vendors have adapted to user demands and do support the use of AV with their latest versions of control systems. Those vendors have figured out how to work with and how to configure AV systems to safely protect control systems. Today, application control technology promises to catch unauthorized executables, and does so using many of the same kinds of “intrusive” kernel hooks as real-time AV solutions use. Does application control have the same kinds of problems as AV had?

To find out, we thought we’d run some simple tests on application control solutions to see if they affect the execution of programs in ways comparable to AV technologies. So we ran the four solutions from:

• Lumension,
• Bit9
• Savant Protection, and
• Stegosystems (beta)

to see what the impact on a control system might be. And we repeated the tests on a vanilla Windows XP SP3 running the latest Symantec anti-virus product as well.

The first three vendors had mature product lines that have addressed the biggest concerns that arose when early adopters applied application control in enterprise settings. All three have management servers to ease the process of managing lists of signatures and allowed software across patches and software installs, where you want new software to be able to run on managed machines. Bit9 boasted “the world’s biggest database of signatures and reputations” on the internet, to make it easier to figure out what kind of software you want running on a desktop. Lumension has its own signature server “in the cloud” and boasts the first tight integration between AV and application control technology in a defence-in-depth solution. Savant has integrated their application control with a “tamper prevention” component that prevents most applications from changing executable files or writing new executable files. Stegosystems is a technology start-up with a new twist on application signatures, and they do their signature checking in real time, at every system call, which lets them detect memory-only exploits like buffer-overflows.

So with a combination of mature solutions and one bleeding-edge solution, we ran our tests. We ran four tests, each 100 times:

• RTAP start/stop – we started and then right away a minimal PCS using Industrial Defender’s own RTAP technology, including a real-time database, a process historian, an alarm serevr and so on. This is an example of a lot of complex system calls and real-time systems setup and teardown.
• dir – we ran the DOS “dir” command, an example of a very small executable with almost nothing to do.
• 60 MB copy – we copied a 60MB file from one place to another repeatedly, an example of an in-cache filesystem and input/output intensive operation.
• Compress – we repeatedly compressed the 60MB file, an example of an integer and I/O intensive operation.

Our tests showed that application control introduced new execution latencies of up to tens of milliseconds for short processes and up to 1-2% for longer-running processes. These new latencies are pretty much equal to or slightly less than new execution costs introduced by AV solutions. This makes sense, because application control introduces new execution paths into existing executables just like AV does, but checking an executable’s checksum/signature should cost less in the long run than running an executable against a possibly large number of AV rules.

.

In addition, we observed one compatibility problem that we figured out how to correct, but as a result wound up repeating the “copy” test on different and faster hardware. We also observed that product installation for some of the products took a long time and a lot of resources – more than a running PCS could afford.

The bottom line is that application control adds value on the HIPS side of defence-in-depth. Application control catches stuff that AV can’t, and AV catches stuff than application control doesn’t. To take advantage of application control though, end users are going to have to push their vendors to start testing with and supporting application control solutions, just as the vendors are being pushed to support AV solutions. The new execution paths and the new latencies mean that there is risk applying application control solutions to process control systems without vendor support, and it is the vendors who have the means and the test beds to address those risks, just like they’re doing for anti-virus technologies.

For more information, check out the full paper (here).