[Tutor] application whitelisting

Albert-Jan Roskam fomcl at yahoo.com
Sat Sep 22 17:11:54 CEST 2012


>On 21/09/12 20:51, Albert-Jan Roskam wrote:
>> Hi,
>> My company just started application whitelisting. Now a new version of
>>a (benign!!) dll does not work as it (or rather, its file hash, if I
>>understood it correctly) is not whitelisted.
>Then get it whitelisted. If your company doesn't have the ability to
>update the whitelist when your software updates, it's even more stupid
>than it seems.

You are right, I should treat it like any other update. What I hate is the amount of paperwork and time involved.


>It's worse than that. If the application whitelist is using md5 (and wanna
>bet that at least 50% of the commercial whitelist software out there is?),
>then it is already broken. An attacker can easily take an arbitrary
>application, and generate a new application with the same MD5 sum and the
>same length, differing by 128 bytes.

Very interesting indeed! I noticed that the link to the original article was broken. This one works:

"In this paper we described a powerful attack against hash functions, and in
particular showed that finding a collision of MD5 is easily feasible.
Our attack is also able to break efficiently other hash functions, such as
HAVAL-128, MD4, RIPEMD, and SHA-0."


More information about the Tutor mailing list