Reply to post: Should be used but isn't

Considering application whitelist tryst? NIST will help you clear the mist

Henry Wertz 1 Gold badge

Should be used but isn't

I have the feeling this will not be used much. I mean, look at "obvious" use cases where it isn't.

, and the sole

Slot machines? They're very secure, and the sole device type I know of that most definitely does use whitelisting among other security. I've seen one boot (it's very verbose so, in theory, the casino owner could watch for irregular boot messages); the BIOS was mildly customized to check the bootloader for tampering before loading and running it; the bootloader checked the BIOS and the stage 2 loader for tampering; stage 2 checked the bootloader and Linux kernel and initramfs. The Linux kernel initramfs verified everything it ran was on some list, and the slot machine software was on that list. The slot machine software ran some further self-checks to check for tampering.

ATM machines? Obviously don't do this, or (even if it were running Windows) the ATM malware that Windows-based ATMs seem to get again and again would not be able to run. Those crappy electronic voting machines they had a few years ago? Nothing. Signage computers? Nothing. Those PC-style cash registers typically net-boot, but then aren't actually prevented from running other software. Various PLC systems, and other single-use systems, you've read about them on El Reg every now and again getting waves of viruses over them -- which is partly on Windows just running things just because, but also indicates they don't use a whitelist either.

I'm just saying, if a vendor of a single-purpose device (that uses a PC) can't bring themselves to use a whitelist, I doubt this'll be used widely, even though it's a good idea.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019