Tuesday, May 20, 2008

The Future of Desktop Security - Part 2 - Alternative Technolgies

This is the second of the four part series on the future of Desktop security. In the first part, I argued that traditional signature based anti-virus technologies are a passé. I presented various factors that are likely to influence the downfall of traditional signature based anti-virus technologies. In this article, I present some of the alternative technologies that individuals and security managers will have to become aware of. These technologies, some of which are just emerging will complement traditional anti-virus technologies. Many mainstream anti-virus companies like Symantec, McAfee have started bundling some of these features on top of their traditional offerings.

Heuristics - Understanding the static and run-time behavior
Heuristics simply means a rule-of-thumb. Many anti-virus softwares employ heuristics to "study" malwares to understand their behavior and potency. As discussed in part 1 of the series, polymorphic and metamorphic viruses alter their code structure dynamically. Thus, they show structural changes between two instances. Anti-virus softwares sandbox (descirbed below) the malware and trick them to execution. These software then employ heuristics by applying fuzzy algorithm to study the properties of the polymorphic viruses at run-time.

A milder form of hueristics called passive hueristics is employed by anti-virus companies where they parse the code statically and apply heuristics to deduce the potential of a virus. One such technique is the use of Markov Chaining and variants of Markov Chaining, which probabilistically tells if a given piece of altered code might bear the resemblance of a known family of metamorphic virus.

Heuristics is the anti-virus community's answer to metamorphic viruses which are the most potent class of virus to exist to date. However, as I argued in Part 1, the effectiveness of using heuristics is questionable. Many authors have argued that only 30% of metamorphic virus forms can be identified by this technique. Another side-effect of this technique is the raise of false-positives.

Behavior Blocking/Intrusion Detection (IDS)
“When meditating over a disease, I never think of finding a remedy for it, but, instead, a means of preventing it."—Louis Pasteur (1822-1895)

Rather than wait for a new virus to emerge, propagate, destroy and then come up with a solution, intrusion detection technology shields a host (be it a computer or an entire network) and actively monitors every single operation. When a virus is about to unleash itself, these intrusion detection systems throttle and quarantine them, thus effectively diffusing the problem before they occur.

To understand this better, the following illustration shows the difference between how an Anti-virus technology and an Intrusion Detection technology handles a potential security problem. Imagine a malicious person trying to rob a local bank. In most situations the local bank would report the incident after it has occurred to the police who would then study the forensic, go after the clues the robber had left behind and then nab him. This is exactly how Anti-Virus technologies work.

Think of an alternative way. Imagine commissioning a secuirty-guard whose keen eyes are trained to capture the thief even before he has performed the action. For example, such a guard could look for patterns such as, “Does any person wear a mask? Does he appear to be loaded with a rifle? Does this person appear to be in a hurry?” etc. The idea here is that to a well trained eye, such activities raise alarms which can prevent the robbery even before it has occurred. This is what Intrusion Detection systems do in principle.

Two subclasses of Intrusion Detection are available - Host Intrusion Prevention Systems (HIPS) and Network based Intrusion Prevention. Since, this article is about Desktop Security, I would like to limit the discussion to HIPS. The biggest problem with such Intrusion Detection system is that they raise lot of false alarms. The vexing question is how do you guarantee that all genuine transactions are allowed? The problem with Intrusion Detectors is that they block several genuine operations and ask for validation. This makes these systems less reliable, noisy and cumbersome to use. One solution to alleviate this problem is the White Listing technology which is explained later.

Technical Note
: The term Behavior Blocking and/or System Firewalls are equally applied to HIPS technologies.

Threat Scoring
One of the major limitations of most behavior blocking softwares is that when they analyze the behavior of processes, they do not classify them into high-medium-low risk. Consequently, when the user is alerted of the operation, he/she is clueless as to what action to take. This gives raise to lot of false positives and the user incorrectly allows or denies the operation. A better way to score the behavior is to classify them according to the risk potential. Going by the bank theft analogy, it is one thing to say that the potential thief is wearing googles and hoodie or that he is reaching out his inner jacket (probably to draw his gun??). It is another thing to say that because the potential thief has done the above action and his profile looks such and such, I rate him as highly suspicious or moderately suspicious. Threat level scoring helps users take much better decisions.

Black Listing and White Listing Techniques

Anti-virus products maintain a list of malicious programs to compare against. They maintain either the signature of the malware or the the hash (MD5, SHA256) of the actual malware. This list has come to be known as the Black List.
Most IT security managers worry about preventing malicious programs from entering their territory. But, the fundamental question is why are IT managers even bothered about the malicious programs? Let us face it, if you wish to enter a corporation today, you are asked for an ID and are required to prove your genuineness. Corporate IT security managers do not have the social obligation of say a public park manager to allow just about anyone inside.

Consequently, corporate IT security managers should focus on allowing only the known good programs rather than focusing on preventing the bad ones. This is a fundamentally different approach and requires a very different mind-shift. The technology behind it is called the white listing technology which is the exact opposite of black list. i.e the signature and/or the hash (MD5, SHA256) of the good programs are maintained in a list. During execution time, only those programs that are part of the white-list will be allowed for execution.

Managing the Gray List and the Power of Peer Review
The question at this point is, as an IT security manager, do I know all the good programs ahead of time? Certainly not! This leads to a class of programs that is neither good, nor bad, but are unknown (sort of in limbo – aka the gray list). The unknown programs fall under the category of “I am bad until proven otherwise”. How do you manage those programs that fall under this gray list category. One alternative is to give up and ask the user instead. This assumes that the user is aware of the program and is intelligent enough to take a decision. Another side effect of asking the user is the intrusiveness associated with it.

One of the popular techniques is the use of social networking. For example, peer-reviews are one option by which the classification of gray programs can be administered. If more users rely on an "unknown program", then it is perhaps benign to allow such programs for execution. This is exactly the same approach that popular websites like Google, Wikipedia etc take. While one might argue the effectiveness of peer-reviews and social networking, collectively, there is no denial that such techniques will work. According to Surowiecki (2004), the decision making of a group is often better than that of individual users. Thus, often times managing the gray list via peer-review is better than asking the user for a decision.

Firewalls
The term firewall refers to a barrier enacted to prevent intruders from entering your network or the personal computer. Firewalls are classified into Network Firewalls and Process Firewalls. A network firewall prevents unauthorized external traffic from accessing internal resources and vice-versa. Process firewalls on the other hand allow/deny new processes from getting created. Network firewalls limit their scope to network connections, whereas process firewalls limit their scope to process creation time. Thus, they are different from IDS systems (such as HIPS) describe above in that HIPS monitors processes actively. For example, a HIPS program might allow a process to be started, but can control an operation (such as registry write) at run-time- thus offering fine grained control.

Note
: Sometimes the term Personal Firewalls are applied to that class of network firewalls that are installed on host (personal) machines. ZoneAlarm (Free Edition) is an example of a personal firewall that protects the host from attacks from outside entities.
The term system firewall is also applied to HIPS!! Apparently, there is lot of clutter around various terminologies. The lack of standards has given room to lot of marketing muddle with various vendors staking a claim flexing and bending the definitions.

Sandboxing/Virtualization
Sanboxing is the technique of isolating the process and let it run within a virtual container. Sanboxing is not a new technique nor is it used solely for security reasons alone. Popular applications such as VMware, Java's applet technology, .NET all run with certain sanboxing capability. The administrator can specify the right security policy such that applications that run within these virutal containers can (or cannot) interact with the host system and the network to which they are connected to.

Therefore, in theory, the potential for damage done by any application is limited to the virtual container alone- which in most cases can be rebuilt with ease. Futhermore, sanboxing is somewhat similar to behavior blocking in the sense that all sanboxes will have to monitor for behavior at run-time and enforce policies at run-time. However, unlike behavior blockers, sandboxes limit the exposure to a virtual container. This introduces additional layering of resources (memory, filesystem etc). This tend to cause process execution delays.

Note
: The term virtualization is often used with sanboxing technologies. Several emulators (hardware, OS etc) fall under this category.

Anti-Virus Technology Comparison Chart (Scroll below):













































Action


Strength


Weakness


Scope of Monitoring


Intrusiveness


Examples


Signature Based Anti-Virus


Passive


Omnipresent, Effective against static malwares


Ineffective against polymorphic and metamorphic viruses


Files, Memory


Low


Symantec, AVG, McAfee, Kaspersky etc


Heuristics


Proactive


Can detect known family of viruses


Moderately successful against unknown family of viruses


Processes


Low


Symantec, AVG, McAfee, Kaspersky etc


Behavior Blocking (IDS)/HIPS/System Firewalls


Proactive


Can detect all intrusive behavior


Very
noisy. Weak decision making intelligence.



Cannot detect static viruses


Processes- Full lifecycle


High


DriveSentry, PervX, FireStorm, WinPooch


IDS With Threat Level Scoring


Proactive


Aids in user decision making


Moderately noisy


Processes- Full lifecycle


Moderate


DriveSentry


IDS with Threshold Based Threat Level Scoring


Highly Proactive


Very Low Intrusiveness




Processes- Full lifecycle


Low


DriveSentry


Process Firewalls


Proactive


Monitors processes at startup


Not granular enough


Process startup time


High



Personal Firewall


Somewhat Proactive


Monitors network processes and traffic


Does not cover all processes


Network Processes Startup time


Moderate


ZoneAlarm, Norton Personal Firewall


Anti-Spyware


Proactive


Effective against spywares (tracking cookie etc)


Do not supplement traditional anti-viruses


Mainly web (browser) based processes


Low


Microsoft Anti-Spyware, ePestControl,AVG


White Listing


Proactive


Improves system integrity


False positives


Files


Moderate


Bit9, DriveSentry


Gray Listing (With Peer Review)


Proactive


Improved decision making


Reliance on external user’s knowledge


Files


Low


DriveSentry


Sandboxing/Virtualization

Passive


Robust security


Slows down system performance, additional licensing cost


Virtual Memory


Low


VMWare

No comments: