CALL US

+91 8219776763

Linux kernel implementation of the proposed whitelist the application executable | Cyberops

Linux kernel implementation of the proposed whitelist the application executable

By Prempal Singh 0 Comment May 31, 2017

In the Linux kernel mailing list, published a set of patches to the LSM-module implementations WhiteEgret, representing a means to protect the system through the use of a white list of executable components.

WhiteEgret allows execution only the application code and libraries that are explicitly allowed and recorded in a predefined whitelist. The performance of all applications is not included in the list of blocked that would not allow the system unauthorized programs and malware. WhiteEgret well suited for static environments, the composition of which does not change for a long time, for example, standard servers, and industrial control systems.

white list of allowed programs, the processing is done in the user’s environment using WEUA process (WhiteEgret User Application). The execve and mmap_file process system call processing core sends WEUA request, passing the full path to the executable file. WEUA based on a whitelist makes a decision about the possibility of execution of the file. Call mmap_file used to intercept loading of shared libraries in an area of ​​memory is capable of performing. In addition to the file path is being verified by the hash on the contents of an executable file that allows you to block files that have been modified after entering the white list. WEUA interaction with the kernel is performed using netlink interface.

Features WhiteEgret:

• Simplified initial setting. In the simplest case, the whitelist can be formed by the inclusion of all the executable files that are available in a freshly installed system. Such a list will ensure blocking of all applications that are not included into the standard delivery;

• Short downtime when upgrading your system. When the update is enough to reconstruct the white list, taking into account changes hash of executable files;

• Independent of the composition of the working environment and the absence of additional requirements to it. For example, WhiteEgret does not depend on the type of file systems and TPM (Trusted Platform Module).

error: Content is protected by Cyberops !!