Reply to post: Re: About time

Antivirus tools are a useless box-ticking exercise says Google security chap

Anonymous Coward
Anonymous Coward

Re: About time

"Adding application-whitelisting to an existing operating system is a lot easier than redesigning the entire system and hence can be delivered more quickly without potentially also requiring changes to the applications themselves."

OK, it keeps IT departments and whitelist-tool vendors busy. What real benefit does it provide, unless the underlying OS is also reasonably secure against "unauthorised code execution"?

"Security on those systems was intended to protect users from each other, not to protect users from rogue applications"

So close and yet so far.

Back in the day, there was data (files, memory, other objects), which generally had access protection, and code, which generally inherited the access rights of the user. Variations on this theme also existed.

Back in the day, the "application" concept didn't come into it much, except in certain special circumstances (e.g. involving a handful of known+trusted applications being granted SETUID to gain extra rights in particular circumstances, and similar such).

Back then, if Joe Public wants to 'run' a script, he gets to run a script, no whitelist needed, no damage possible (in most cases). The OS built in mechanisms prevent, protect, audit-log (etc) access (including failed access) to the data. The application is only allowed to access data the user can access (exceptions apply, see above).

Move forward two or three decades and that largely seems to have got lost somewhere.

The whitelist concept attempts to provide a figleaf for the IT manager and their department, whereas in actual fact it does nothing to prevent unauthorised code execution, let alone unauthorised elevation of privilege.

Authorisation and audit of who's using specific applications can, if necessary, be done a different way without being dependent on blanket whitelisting. E.g. by using the OSes security mechanisms to protect the executables/scripts/etc involved.

But hey, let's repeat the same learning process from thirty years ago and see how wrong we can get it this time. Looking pretty good so far, especially as we've got nice shiny GUIs and "management tools" to hide the underlying can of worms.

Windows NT 3.1 had most of this in 1993, btw. UNIXes (including Linux) too. And then along came "one computer = one user".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019