Desktops Are Not A "Walled Garden"Desktops Are Not A "Walled Garden"

A recent Ars Technica article talks about Intel's acquisition of McAfee and its vision to migrate "from a known-bad model to a known-good model." It makes me wonder whether Intel really understands the strength of the Wintel software market.The security industry has always had a tough time of keeping up with the bad guys. Nearly all security software consists of a blacklist of file signatures and system behaviors that the software tries to recognize in order to determine whether the file is malicious. Intel is advocating a change to a whitelist, where only software known to be safe is allowed to run. Safe software could be recognized by a checksum of the file's contents, or by a digital signature applied by its creator.

Whitelists have been the dream of security professionals for years. The reason they have largely remained a dream is that they are impractical for an open PC platform. It is certainly possible to apply whitelisting to PCs; the technology already exists and companies such as Bit9 offer software and services to do it. In corporate environments where IT controls everything and users cannot install software, this approach can work. Yet it still has plenty of drawbacks.

Whitelists alone don't address exploits initiated through approved programs. If Adobe Reader or the .NET Framework are approved but have security holes allowing a remote attacker to control them, a basic whitelist approach will gladly let them have their way. Practical whitelist protection needs to incorporate other behavior detection and countermeasures to determine when a good program is going bad.

Whitelists are hard to maintain in an environment where software is changing quickly. In a corporate setting, where users shouldn't be trusted to override the whitelist decision, the IT department is on the hot seat. Nothing can run on those corporate PCs unless it's on the whitelist. There will be innocent programs blocked that don't deserve the cold-shoulder treatment, simply because they have never been seen before. If IT delegates the whitelist decision to a service provider, and a program isn't on the list, it may be very difficult to determine whether it's safe to override and allow the program.

One of the primary ways to determine whether a program can be trusted is the digital signature. It doesn't guarantee a lack of maliciousness in the software, or that it's free of security holes, but it does let you know who created the software. Code signing certificates cost several hundred dollars per year. That cost can be a hurdle for open source projects or small developers who are making free PC utilities as a hobby. Unsigned code can be accommodated by a whitelist system, but will usually require more scrutiny and time to approve.

Up to this point, I've cut Intel some slack and assumed that they only plan to use whitelists for corporate clients. If Intel were to use whitelists on small-business or consumer systems, it would be a total disaster. Consumers use an incredible variety of software that they get from all over the world, and there's no way that a McAfee whitelist can keep up with the daily changes. Users would get too many "are you sure" prompts for programs they knew were fine; that would destroy the credibility of the product as well as train users to click "OK" on every prompt.

There are already plenty of walled gardens of computing available, such as the iPhone, that don't provide a way to install "unapproved" software. The PC is one of the few platforms that is still truly open so that anyone can write code for it and distribute it to anyone else. Despite the security challenges of such an open platform, I'm not willing to give up that freedom in the name of security.