(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 2, February 2011
APPROCHESBasically, there are three major approaches for lockingdown client applications; blacklisting, whitelisting andgraylisting.
This approach applies the security premise “what is notexpressly defined to be prohibited must be allowed”. So in thisapproach only those applications that have been defined to beunwanted, the blacklist, will not be executed, all otherapplications will be allowed to run. Clearly this approach willnot defend against malicious applications not previouslyidentified in the blacklist.
This is the reverse approach to blacklisting, it applies thesecurity premise “what is not expressly defined to be allowedmust be prohibited”. Application whitelisting is emerging asthe security technology that gives a true defense-in-depthcapability, filling in the gaps that anti-virus was never designedto cover. Application whitelisting is characterized by theability to identify authorized executables and associated filesand to treat as an attack any program or file that is not on theauthorized whitelist. Recent advances in applicationwhitelisting, including automatically approving files fromtrusted sources to reduce administrative overhead or allowingend-users to personalize their endpoint for greater useracceptance, has made application whitelisting an attractivechoice.Application whitelisting is a technique gatheringmomentum in commercial security systems. Most implementadditional access controls within the operating system to stopunauthorized programs from running. Products from companiessuch as CoreTrace , SolidCore  and Bit9  all useapplication whitelists to create a safer working environment.
This approach combines the previous two approaches; ituses three lists, while, black and a gray. This approach worksby focusing on valid whitelisting applications and allow onlythose applications to run. All the applications in the blacklistare not allowed to run. When an application is not in the whitelist or in the black list, it will be placed in the gray list forfurther justification. This approach uses software authenticationto reduce the problem of malware and other unwanted software.III.
(LALC)LALC is a graylisting solution that restricts applicationexecution on network Linux clients. The solution maintainsthree lists, a white list for applications that are authorized torun, a black list for applications that are solely prohibited and agray list for applications that are neither white nor black.LALC deploys client group restriction policy which allowestablishment of different client groups that have differentsecurity levels. For system flexibility LALC implements threesecurity levels, namely, Lockdown, Block-and-Ask andMonitor. In Lockdown level, only whitelisted applications areallowed to run. In Block-and-Ask a confirmation message forexecuting the application is sent to the user when theapplication is gray. In the Monitor level the gray applicationsare allowed to be executed without user confirmation. In allsecurity levels, the gray applications are added to the gray listfor later administrator analyses.
LALC is a client/server application. On the client side, webuild two components, a Loadable Kernel Module (LKM) tointercept client attempts to execute applications, and an Agentprogram which was designed to calculate the hash value of thedesired application file using MD5 algorithm and tocommunicate with the server. Although the Agent Moduleemploys MD5 algorithm but any other hashing algorithm canbe used instead.On the server side we build a Server program to receiveclient’s requests and to generate responses, and a ServerConfiguration Utility to allow administrators to manage clientgroups, security levels and application lists.
Two components are deployed oneach client; the Loadable Kernel Module (LKM) and theAgent.
The Loadable Kernel Module (LKM):
The LKM isbuilt based on the facts that; a loadable kernel module is apiece of code that can be dynamically loaded or unloaded fromthe Linux kernel, and once it loaded it becomes a part of thekernel . And Linux kernel dedicates a specific system call,namely execve, to handle client request to the kernel forexecuting a program file .LKM was designed to intercept client requests on behalf of the original execve, and to invoke the Agent. Based on thereturn value LKM may or may not allow original execve tohandle the client application.LKM comprises four functions; initialization(),custom_execev(), write() and read().
Initialization() :When LKM is loaded into the kernel itexecutes the initialization(). This function redirectsclient calls from the original execve system call to thecustom_execve function inside the LKM.Initialization() performs redirection by replacing theexecve address in the kernel table by the address of thecustom_execve(), and saving the original execveaddress. Also the initialization() prepares acommunication channel to the Agent process via a/proc file. It creates a /proc file and connect itsread/write operations with read() and write() inside theLKM. Also it creates two buffers to be used by LKMother functions, namely, Request Buffer and ResponseBuffer. Generally, /proc file system is a method usedfor communication between the kernel and userprocesses . Fig. 1 shows how LKM initializationfunction works.
38 http://sites.google.com/site/ijcsis/ISSN 1947-5500