Bouncer: Going Beyond Whitelisting
A few weeks ago I spent an intriguing afternoon in the basement of Dan Teal, Founder and CTO of CoreTrace. While that might sound as though we were reviewing his private treasury of Civil War memorabilia, or his collection of antique farm implements or whatever, he was actually giving me a demonstration of Bouncer, the product he and his team at CoreTrace has built. He just happens to be able to do that from home and it was more fun than simply sitting in the boardroom and watching a canned demo.
The Role of Whitelisting
So what is Bouncer? I’m tempted to refer to it as a whitelisting capability, but to be honest it goes beyond whitelisting, and it heads off in a direction of which I approve. So let’s begin this by discussing whitelisting and the real reason for The AVID Campaign that I ran for 18 months, until the AV industry was forced to take notice and change direction.
The AVID campaign was a drumbeat aimed at repeatedly drawing attention to the fact that the primary IT security product, AV software, was inadequate and also, based on the wrong idea. Because I needed to run the campaign as a drumbeat, I rarely came right out and made the “defining point”. The defining point about IT Security is this.
You cannot break into a computer from a remote location and achieve anything at all without executing a process.
It’s also almost impossible to do anything without executing a process, even if you’re actually in the same room as the computer, but at least then you have the added possibility of physically taking it apart and, depending on how the computer works, you may be able to get at data somehow. Remotely you have no chance whatsoever without executing a process. Period. It really is that simple.
And consequently, in order to prevent intruders doing dastardly things directly (or indirectly through viruses), what you need to do is authenticate the software that is allowed to run and let nothing else run. Anti-virus is a poor IT Security solution because it doesn’t do that. Instead it tries to spot software it thinks is bad. Anti-virus comes from a bygone era and that is where it belongs. It is not enough to just recognize rogue software.
Neither is it enough to add behavioral recognition to AV software. That will improve things quite a lot, because it will trap a good deal of the rogue software that standard AV will miss, but unfortunately there are many pieces of software that can do dastardly things that are a legitimate part of the operating system. We have to do better than that.
So we come to whitelisting. Whitelisting is the implementation of software authentication. You start by authenticating a clean version of all the software you intend to use and then you don’t let any other software run except in a sandbox until it has been authenticated. There are different approaches to whitelisting, but the differences are in how you implement and how you authenticate. From a theoretical standpoint, all whitelisting products take the same approach.
Bouncer and The Globalization of Permissions
Bouncer is too complex a product for me to describe in a single posting, so just think of it as a whitelisting capability and I’ll describe three elements of it which I find impressive and which take it a little further than whitelisting normally goes.
- Bouncer is designed as if it were an invisible root kit that is injected into the OS at the highest priority point and the earliest possible point after boot up. Basically it is designed to get in before anything else can and be invisible in every way. You will never know it is there and (in theory at least) it will never show up in any diagnostics of any kind.
- Bouncer implements its sandbox and its whitelist directly by controlling and enforcing permissions. Bouncer can prevent all other processes from making changes to permissions. It can have total control. In other words it owns the local permission system completely and cannot be usurped.
- Bouncer runs from sealed servers which self-protect and which can be configured to run in a fault-tolerant manner. It thus enforces a complete separation of concerns. You could say that, in a kind of metaphorical way, it virtualizes and globalizes the permissions system so that the IT Security of a network can be defined as a set of policies that are implemented by a separate system that oversees the corporate network.
So is Bouncer a whitelisting product? I’d say not. It’s more like an IT Security platform and it marks out the direction in which I believe other whitelisting products will inevitably evolve.
This is very interesting concept – love to get more details on it. At the same time, I can’t help to wonder over the whole notion of having this tool injecting itself into the OS kernel during boot-up and doing so in a way that “ensures” it being the first one there – love to see how it can be done reliably and consistently, considering it would be the same goal by other rootkits.
It sounds nice to only allow authorized processes. Who decides what is authorized?
What are athe authorization criteria?
How is the authorization implemented?
Who can configure the authorization criteria?
How is the authorization criteria updated?
etc., etc., and etc.
Need much more detailed and clarifying information before deciding on the appropriate implementation of whitelisting, including CoreTrace, Bit9, etc.
Where can the comparison of whitelisting verndors products be located/found?
Right now I know of no existing comparison of products, but most of your questions are answered in the same way for most of these products. Who you designate as the authorizer is up to you and, beyond the initial implementation of a clean-room version of Windows (or other OS) which will authorize about 6000-7000 processes. The process for authorization is usually configurable with these products according to how you want to proceed. Because you can put a sandbox around any computer or user, you can have many strategies.
I run a Mac. It always asks me for permission (admin password) whenever I try to run anything that has never been run before and didn’t come with the native OS. I always know what the executable is and where I got it. If you want to get very sophisticated you could use digital signatures direct from the software vendor for authorization.
It should not be up to the vendor to impose an authorization process, it should be up to the security group to build one. The whitelisting vendor should merely enable.