Security Based Project Idea

[RobC]

Ok. I finally have a worthwhile idea to pitch for the project. This one is security based and spurred on by the security article here, and in particular, this quote:

Quote:

One clear symptom that you have a case of "Enumerating Badness" is that you've got a system or software that needs signature updates on a regular basis, or a system that lets past a new worm that it hasn't seen before. The cure for "Enumerating Badness" is, of course, "Enumerating Goodness." Amazingly, there is virtually no support in operating systems for such software-level controls. I've tried using Windows XP Pro's Program Execution Control but it's oriented toward "Enumerating Badness" and is, itself a dumb implementation of a dumb idea.

How difficult would it be to write a program that monitors all code executed by the system? This would look at programs that run, etc and decide, based on a list of rules, what is allowed to run. Anything else would be prevented and logged with the ability to allow it if it is a legitimate application.

Not being a programmer, I don't quite know the implications of this task such as processor time, memory usage, etc. but I think this would be a very useful feature for schools. Certainly it would stand as a big barrier to spyware, malware, adware, etc, as well as stopping staff & pupils trying to install unauthorised applications.

Can someone tell me if this is possible, and whether it can be added to the (potential) features list for the Edugeek Project?

Cheers,

Rob.

[russdev]

well project (once i get my net connection sroted) is an admins tool kit in not so many words and adding it as part of project not an issue..

As for program side not sure problem is have to make sure that it very small as it need to run a lot if think of amount of work doing for example just do task list to see amount it would have to check before you start doing anything.

but could be possable...

what do others think?

russ

[Geoff]

Quote:

How difficult would it be to write a program that monitors all code executed by the system? This would look at programs that run, etc and decide, based on a list of rules, what is allowed to run.

Certainly on Linux systems, this is possible today. Playing with mount options is an obvious starting point. Then you can move on to more complex measures like Systrace, Tripwire and SELinux or GRSecurity.

Disclaimer: Here be dragons.

I don't believe this is possible on Windows at the moment. You need intimate support from the OS internals to do this kind of thing and it just doesn't exist.

[russdev]

was thinking about this problem being is that got antivirus software that intercepts programs and then this could slow system right down...

russ

[uk101man]

It is possible in vb to list all running application and with that information could compare every title against a safe list and the close the program that is not on the list

Tom

[webman]

Quote:

Originally Posted by uk101man

It is possible in vb to list all running application and with that information could compare every title against a safe list and the close the program that is not on the list

Tom

Comparing by window title can sometimes be unreliable as there are no strict rules applications adhere to and can change regularly, but it is certainly possible and a lot easier on resources. AFAIK, this is how Ranger does it.

[uk101man]

i would have to check my coding but i think it possible to pull the programs path and name, which i'm guessing you could use to check against a safe list

[E1uSiV3]

using names as a basis for comparison is a bad idea, for instance, i could just rename a malicious piece of code to a process name that has been declared safe to run and voila, md5sums of the exes would be more useful, but would need to be updated when the program version changes

On a side note, doesnt windows group policies have a similar sort of system for safe program execution (which uses the path system and invariably can be bypassed with the method above)

[webman]

@E1uSiV3: Yes, I know the exact GPO you are thinking of and it goes back to Win9x days, "Only allow the following programs to be executed" or similar wording. In Win9x it was possible to rename an EXE to something that was allowed, but as far as I know, the newer Win2K+ version of this GPO actually makes a hash of the file, which means that users can't rename EXEs they want to run - but secondly, when applications change, you must remember to re-do the hash of the EXE otherwise it might not run at all

[pete]

I have a nasty feeling that hashes + automatic patching = bad things.

You'd have to be able to easily check which system file hashes have changed, whether the change is legit (or not) and be able to push out the new hashes as part of the patching process.

Is anyone here using this function with success / beyond testing?

[wesleyw]

I would have thought that the hashing for Windows System patches and the like would be fine just the application software would be the issue? I suppose it depends on how much software you run and how frequently it needs patching. As long as you run the update then make the changes I can't see a problem with that solution?

Wes

[mac_shinobi]

Dont exe's or any other file types that are able to run have digital signatures or something to that effect or possibly something else that allow you to determine if it is malware or not ?

[E1uSiV3]

Quote:

Originally Posted by gecko

Dont exe's or any other file types that are able to run have digital signatures or something to that effect or possibly something else that allow you to determine if it is malware or not ?

In theory, yes, but its voluntary and no bugger uses is apart from microsoft and a few other people.

The whole windows patching issue can be avoided by adding a rule for the whole windows directory as it should be read only anyway for joe public

[_Bob_]

Indeed. The trouble is you get naff educational software that insists on having write access to .ini files it installs in the windows folder, despite the fact that it only ever reads settings from them.

[mac_shinobi]

Asked a Q on EE , here is the URL :

http://www.experts-exchange.com/Prog..._21700066.html

Registration is free ( at least there should be an option to register for free )

If not let me know and I can post back with the info.