[Tutor] application whitelisting

Steven D'Aprano steve at pearwood.info
Fri Sep 21 16:41:31 CEST 2012

On 21/09/12 20:51, Albert-Jan Roskam wrote:
> Hi,
> My company just started application whitelisting. Now a new version of
>a (benign!!) dll does not work as it (or rather, its file hash, if I
>understood it correctly) is not whitelisted.

Then get it whitelisted. If your company doesn't have the ability to
update the whitelist when your software updates, it's even more stupid
than it seems.

Application whitelisting is a poor idea. The first time you run a
Windows update, *everything will break*. Unless of course you trust
software from Microsoft -- or rather, you trust software that you *think*
is from Microsoft. So right there you have a vulnerability: any malware
that can steal a certificate, or sign up for a "legitimate" certificate,
will be trusted.

Whitelisting doesn't protect you from infected PDF files, buffer overflows,
code injection attacks, XSS attacks, Flash, etc. It's yet another buzzword
that *at best* will temporarily protect you from a few threats while doing
absolutely nothing about solving the actual problem.

> The code below is probably simplistic/naive, but it's a product of my
>frustration + curiosity. The strategy was to generate a dll that has the
>same file hash as the original dll by right-padding it with zero until
>the desired checksum is found. Why a zero? No idea. ;-)

It's worse than that. If the application whitelist is using md5 (and wanna
bet that at least 50% of the commercial whitelist software out there is?),
then it is already broken. An attacker can easily take an arbitrary
application, and generate a new application with the same MD5 sum and the
same length, differing by 128 bytes.


Is 128 bytes enough to compromise the application and turn it into an
attack tool? I don't know, but probably.


More information about the Tutor mailing list