Security Adviser | Roger A. Grimes » Control user installs of software

January 25, 2008 | Comments: (0)

Control user installs of software

TAGS: User behavior

Learn how to verify the status of applications and data without wresting all control over what users put on their hard drives

I've written many times over the years, including as recently as last week, that letting users execute and install their own software will always allow viruses, worms, and Trojans to be successfully installed. Traditionally, I've recommended that users not have admin or root access, that they let system administrators choose what software is allowed and what is blocked. But this recommendation breaks down for several reasons.

First, it doesn't cross over to home computers. Most home users are end-users and system administrators, all in one, even though they're the ones most likely to install malware. Businesses, in general, are less likely to run malware than the average home user because businesses enforce computer security, deploy anti-malware programs, and so on.

Second, I can't think of a single end-user who likes to have someone else decide what they can and can't run and install. I've probably had more hate mail and comments on this than on anything else (other than when I foolishly insult Mac or Linux users). If end-users want to install the latest Windows Media Player codec to watch the newest Paris Hilton waste-of-AV-time video, why not? Who cares if the codec is a Trojan that wants to steal their identity, right? Freedom comes with a cost! I've even had respected InfoWorld colleagues take me to task on this point.

An expert solution
One solution is not to have someone more knowledgeable about nasty software decide whether a particular program or downloaded content is malicious, but to automate the process. I'm not just talking anti-virus programs, which look at only binary signature comparisons and sometimes use heuristics to detect specific behaviors. I mean client-side software examining the program's or content's entire binary (think: cryptographic hash) and making an intelligent, informed decision before the content is executed or loaded.

Several personal firewalls, including ZoneAlarm, will check to see if a local program requesting outgoing network access is normally approved by other users. This is closer to what we need, but it covers only network access and around 100,000 applications. It doesn't prevent local execution, but that's to be expected for a firewall product.

SignaCert, which I've reviewed before, is developing a global file hash database, through which it hopes to catalog every executable file in existence. SignaCert excels at scanning computers to find known and unknown programs, and it's in possibly the best position to contribute to (or lead) the greater vision.

The greater vision
The greater vision is that all computers run a client-side program, potentially embedded in the operating system, that measures the cryptographic hash of all programs and content being downloaded to the computer. Before the program is run or the content loaded, the hash is sent to a global database on the Internet for analysis. The database has a list of programs and content, as well as their related cryptography hashes. Additionally, each registered program has been ranked by security professionals as to the program's security, privacy, and operational methodology. There can be several main categories, each with varying levels of trust, that developers work with. Think of it as kind of like Common Criteria, but with a broader scope.

The idea is that the global database can act as each end-user's personal security advisor and recommend a go or no-go decision. A simple end-user message might say, "This program has been found to collect personal identifiable information, redirect Internet browser searches to paid locations, make potentially malicious modifications to your computer system, and send collected information over outbound network connections to multiple servers. Its legitimate intent cannot be confirmed. Most users have chosen not to install."

Another program, having the exact same behavior, might come from a trusted vendor and be recommended for installation. But at least the end-user would know that the program modifies their system in readily transparent ways. This might encourage legitimate vendors from slipping in "phone home" features without making users aware of why they're doing it.

Media content can be verified not to have known backdoors, malicious scripting, or other unexpected consequences. By default, unregistered programs and content would not run, or they would be subjected to additional scrutiny and controls (for example, sandboxing). Many programs are digitally signed today, but users still don't know what they do.

It is unrealistic for most end-users to be as knowledgeable as a 20-year computer security expert. So doesn't it make sense for us to help innocent end-users, who just want to do their jobs and have a little fun with their computers, make informed decisions?

Because ultimately, we don't want to stop end-users from installing and running any programs they want -- just the bad ones.

Posted by Roger Grimes on January 25, 2008 03:20 PM

RATE THIS ARTICLE: