Application Whitelisting as Malware Defence

I just finished reading an article on TechRepulic’s IT Security Blog which echoes my long-standing recommendation to maintain a “whitelist” for approved applications.

Michal Kassner, the author of the article, explains briefly the benifits that whitelisting could bring.  I want to talk a little more about an actual implementation.

The difference between approaches

Blacklisting and whitelisting are common in many IT scenarios. We use it for mail servers, server-to-server communication and even internet traffic in some proxy server implementations.

Blacklisting is definitely the more relaxed version of the two: either you or third-party you trust maintains a list of domains, hosts or addresses that are not trusted.  This list is usually tied to software of some kind that prevents users from accessing or receiving data or messages from entries on the list.

Whitelisting leans towards paranoia.  I’m not saying it’s necessarily bad, but it can certainly be restrictive.  Using the same approach of tying the list to software to protect users, only addresses on the list are allowed to be accessed or permitted into a system.

Depending on the level of security required there can be a mix of the two working together to protect users.

When to use which

We can’t just switch everything over to whitelists and expect the internet to hum along all tickity-boo (without problems).  Imagine your friend registers his own custom domain and sends you an email (from that domain) to check out his new site (on that domain).  First of all, you wouldn’t get the email.  Secondly, you couldn’t access the site.

So, generally speaking, we should use blacklists where we need wide unannounced access to resources that may be abused.  When and only if they are, the switch is thrown and the address is locked out.

Some examples of where using a blacklist can help a user without hindering their experience:

• Email servers pumping out spam
• Web servers serving malicious content

And, some examples of where you want ‘whitelist’ behaviour implemented for better security:

• Servers that only expect connections from certain IP addresses
• Configuration for your remote desktop
• Secure VPN access points (when the access points are fixed, such as office-to-office)

Personally, here’s a few other ways that I use these kinds of lists:

• RDP connections on my servers whitelist a central IP for access and by default block/ignore other connection attempts. These servers are on private IP addresses.  The central IP has external RDP sessions routed in on a specific port and the router is configured for only a handful of IP addresses.
• My children have whitelist-only access to the internet.  At age 3 they each got an account on the computer.  My wife and I approve only websites that we preview (lego.com for example).  We have google.com on there as well, which allows them to search, but if they want to access a search result they need our approval.

How applications fit in the mix

I think it’s important to recognize that we can’t anticipate every need of users in the IT space.  The job descriptions of people who use computers has grown so diverse that you are equally likely to find a chef who uses a computer every day as you are a computer programmer.

So can you rely solely on the work of a handful of people to approve applications?  What if one evaluator thinks that an application is malicious because of how it tracks your usage, whereas another finds it useful because it alters the behaviour of the application?

Who comes up with the criteria for whitelisting?  Who approves applications?  Who blacklists them?

Does the issue need to be a dichotomy?

Some of the above questions, to me, suggest that there should be “greylists” as well.  Using heuristics to evaluate software, as submitted by developers, greylists would allow applications to have a level of trust associated with them.  These apps could be sandboxed to protect users, and OS-level alerts could monitor these applications for excessive or abusive behaviours.

A case for whitelisting applications

I have worked with a good number of people who see a screen saver they like, or backgrounds, or icons, or mouse pointers and more recently email graphics and templates, and download and install these…treasures.  I have also seen an entire network compromised in an afternoon with zero-day malware hidden in a toolbar install.

Corporate networks should be configured to prevent the unregulated installation of software. Even as a software developer who likes to download and try out apps all the time, I try to only do so in a sandbox (virtual machine) unless I trust the application provider.

Corporate machines do not need anything installed on them except the software that enables an employee to do their job.  Mechanics don’t get waterslides near their workstations, likewise, we don’t need users installing Sudoku Extreme.

For home users it’s a little more difficult to lock down computers and I don’t feel as though they should be.  I would, however, like to see the implementation of whitelist providers, coupled with a local service that I can maintain.  This service should allow me to say “these users accounts can install these applications that are suitable for kids”.  If it’s not on the list I can add it to the list (as an administrator on my machine).  I could equally say, “these users can use these whitelists, and these users can use these greylists”.

Take it even further, now, and implement a system whereby the operating system alerts me when I’m launching a greylisted application whose signature has changed (suggesting the possibility of malware).  Give me the option to restrict file or network access to greylisted applications, or limit their access based on user type.

In a corporate scenario, you could allow management-approved applications on the workstations, and greylisted apps on virtual machines (where users have them).

Making it work for users

Ultimately what we’re doing now is broken.  Chasing malware that can move around the globe in hours is nearly a lost cause.  We haven’t seen any big outbreaks lately – I credit smarter users and more responsible operating system behaviour – there could be one coming.

The implementation must not break anything we’re already able to do, and yet provide more security than we currently have.

That’s a tall order.

Blog FTP Troubles

I’m working through an issue with publishing images right now and hope to be back online to continue my jQuery series in the next few days…

Thanks for the continued questions and comments as I work through all kinds of scenarios with ASP.NET MVC 2 and jQuery.

ASP.NET MVC and jQuery Part 4 – Advanced Model Binding

This is the fourth post in a series about jQuery and ASP.NET MVC 2 in Visual Studio 2010.

In my last post I covered the simple scenario of a Person object getting POSTed to an MVC controller using jQuery.  In this article, I’m going to look at three other, more complex examples of real-world model binding and where jQuery might fit in the mix.

The model binding scenarios I’ll cover are:

• Sorting a list with jQuery UI support and submitting IDs to the controller for processing.
• Using jQuery to augment the user experience on a list of checkboxes (supporting check all/none) and allowing MVC to handle the elegance on it’s own.
• Give users the ability to build a list of items on a complex object, then submit that object to an MVC controller for processing.

The entire working solution is available for download at the end of the file.

Preface

In the first two examples here I have lists of data that are statically programmed into the page.  From my earlier posts in the series you can see how easy it is to generate partial views that would drive the UI elements from a database or other backend.  For brevity, I’m leaving those elements out of this example.

Sortable Lists

The jQuery UI library provides the sortable() function which transforms the children of a selected element in the DOM to draggable, orderable items for the user to manipulate.

The sortable() extension also provides a mechanism for us to capture the order of the list via the toArray method.

Using the jQuery.ajax() method, we submit the results of the users’ efforts via post to a controller action.  For the purpose of this post, I’m not going to do any processing in the controller, but you can set breakpoints to see the data getting hydrated into the models.

Let’s start by setting up the controller action, which accepts a list of ints as a parameter to capture the order of the IDs.

Yes. It’s that simple.  Now, you’d likely want to do some processing, perhaps even save the order to a database, but this is all we need to catch the data jQuery.ajax() will throw at us.

The juicy bits in jQuery are as follows:

Note: In order to make the results of the array compatible with the binding mechanism in ASP.NET MVC (as at MVC 2.0) we need to use the ‘traditional’ setting in $.ajax().

There are a couple of interesting things to note here:

• jQuery.ajax() by default makes requests to the current URL via get.  My controller action that accepts the List<int> is the same name as the basic view.  I change the type here to POST and the proper controller action is called.
• The ‘toArray’ returns an array of the selected element IDs.
• My unordered list contains list items with IDs that represent the unique items.  In this case, they are integers stored as strings (by nature of HTML).
• The name of the list of IDs is passed in as the same name as the parameter in the controller action.
• When submitted to the controller, the MVC framework finds the appropriate method, looks at the expected parameter type and sees the array sent by the client.  It then uses reflection and parsing (and maybe some voodoo) to coerce the values into the expected parameter type.

We can then use the list of IDs as required in the comfort of c#.

One of the interesting things that you can do, as the List<int> parameter is an IEnumerable, is that you can use LINQ to Objects on these guys without any effort.  Thanks MVC Framework!

Submitting Checkboxes

How do you submit a list of the selected checkboxes back to an ASP.NET MVC controller action?  It’s all too simple.  In fact, the only reason I mention it here is to highlight some of the simplicity we inherit when we use the MVC Framework.

I actually laughed out loud when I figured this one out.  It’s that good (or, I’m that easily impressed).

For jQuery on this example, I’m only really going to use it to augment the user experience by providing a couple of buttons to check all or check none of the options.

We’ll use a standard HTML form and allow the user to select the items in a list they feel are appropriate.  The form will be submitted via POST to our controller action (named the same as the ActionResult for the original View) and our parameter will be automatically populated for us.

Some things to point out at this junction:

• The values on the checkboxes here are the same strings that are displayed in the labels.
• I have given all the checkboxes the same name. When submitted, MVC sees these as some kind of enumerable thing and will then try to bind based on that.
• Optimus Prime is not a Jedi.
• This the name used for the checkboxes is the same name as the parameter in the controller action.

Packing a Complex Model

What about if you have a complex type with properties that can’t be expressed with simple HTML form fields? What if there are enumerable types as properties on the object? 

Man, am I glad you asked! The ASP.NET MVC Framework is pretty smart about taking items off the client Request and building up your objects for you in the hydration process.

Here is my Suitcase class, with a List<string> that will contain all of the things that someone wants to take along on their vacation.

So how do we get those items into the object?  The first step is to allow users to create them.  We do this with a simple textbox and a button, rigged up to some jQuery script as follows:

When the user enters an item and clicks ‘Add to suitcase’ (or hits enter) we grab a reference to the textbox.  Next, we use jQuery.append() to create a new LI element with the contents of the textbox.  Finally, we clear out the value and return focus to the input field.

When the user is finished loaded up their bags, we need to create a data map that will be submitted.  To simplify the process a little, we’ll first get that list of clothes together.

We first create an empty array.  Next we use jQuery.each() to loop through all the returned elements – the list of LI elements that the user has created – and add the text of those LIs to the array.

Next, we POST the data back to the server:

Here are some observations:

• We’re POSTing and using the traditional setting so that the enumerated items are compatible with the current versions of jQuery and MVC.
• The names of the properties in the Suitcase class are the names of the values we use in the data map submitted by jQuery.ajax().
• As in the first example, jQuery.ajax() is posting to the default URL, which is the same URL as the view in this case.  In the controller we differentiate the action with the HttpPost attribute and, of course, the Suitcase parameter.

When the data is submitted we see this in the controller action breakpoint:

And the contents of the Suitcase.Clothes property:

Wrapping Up

There you have it: the basics of advanced…stuff. 

From here you should be able to work out most scenarios when building up objects in jQuery, submitting them to the controller and making a jazzier UI come together with jQuery UI while still using MVC in the backend.

Some things I’ve learned along the way:

• Remember to watch the names of your variables in data maps! They have to match the parameters (or member properties) of the controller action.
• If you’re having trouble getting things to submit and you’re not seeing any errors, try attaching FireBug in FireFox to the browsing session and see what’s happening to your requests/responses.
• Make sure that you’re sending the values of the jQuery selections, and not the objects themselves if you’re having trouble binding.
• Don’t send: $(“#my-textbox”)
• Send: $(“#my-textbox”).val()

Resources

• The complete solution for all three scenarios (download VS2010 solution)
• The rest of this series
• jQuery’s Website
• jQuery UI’s Website