Yes, code and data is all about context. Code can be considered data if you take it out of the context where it can be run. If data cannot be executed, it is not code.
The beauty of whitelisting applications (as a concept) is that you don't care about things that aren't running, as they can't do anything to you until they CAN run. A set of 0s and 1s opened in notepad is no problem to me until that set of 0s and 1s can run in some manner. While I can certainly elect to do so, I don't *need* to use any computational power to address an inert set of 0s and 1s. If notepad has a buffer overflow vulnerability, as an example, then I still don't need to expend a lot of concern about that set of 0s and 1s if I don't want to. I only have to worry about what new processes it can spawn. Yes, it is technically possible that for a given executable, one could totally co-opt it to make it a malignant executable without the need for any other, but this is extremely difficult, which is why it is not regularly done. That's an extreme edge case, AND its an edge case that is not any better addressed by a blacklisting solution in a zero-day scenario, whereas the most likely scenario of the compromised executable calling down new processes *is* trapped adequately by whitelisting. If you believe that the value of this class of protection is not worth the pain of managing the whitelisting solutions, then so be it. I cannot tell you where to draw the cost/benefit line. But I'm opting for any solution which better handles an entire class of real and prevalent threats than the standard solution, and which will only get better as the disparity between the size of blacklists and whitelists grows. * * *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of Technology for the SMB market… * On Wed, Apr 18, 2012 at 1:31 AM, Ken Schaefer <[email protected]> wrote: > Actually, to make this point better:**** > > ** ** > > If I open a certain set of 0s and 1s in notepad.exe, it just displays the > ASCII/Unicode character representation of those 1s and 0s on the screen*** > * > > If I open the same set of 0s and 1s in cscript.exe, then certain other > actions get performed on the system.**** > > ** ** > > The above is a fairly clear distinction, but there are plenty of scenarios > that grey the boundary far more. As far as I’m concerned, it is very > difficult to distinguish between data and code, except in the simplest of > cases.**** > > ** ** > > Cheers**** > > Ken**** > > ** ** > > *From:* Ken Schaefer [mailto:[email protected]] > *Sent:* Tuesday, 17 April 2012 11:12 AM > > *To:* NT System Admin Issues > *Subject:* RE: Whitelisting**** > > ** ** > > The first statement is wrong – there is no difference between data and > code – they are just ones and zeros.**** > > ** ** > > Now, an application, can, tell an OS that certain memory addresses contain > code that should not be executed. **** > > But some other application, loading exactly the same ones and zeros, can > tell the OS that it should be executable.**** > > ** ** > > Cheers**** > > Ken**** > > ** ** > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Tuesday, 17 April 2012 2:28 AM > > *To:* NT System Admin Issues > *Subject:* Re: Whitelisting**** > > ** ** > > *>>**Data is code. Code is data. They’re both strings of 1’s and 0’s. **** > * > > ** ** > > No, they are most certainly not the same.**** > > ** ** > > ** > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
