A Case Study on the Security of Application Whitelisting

Presented at DeepSec 2015 „DeepSec No. 9“, Nov. 20, 2015, 9:50 a.m. (50 minutes)

Application whitelisting is a concept which can be used to further harden critical systems such as server systems in SCADA environments or client systems with high security requirements like administrative workstations. It works by whitelisting all installed software on a system and after that prevent the execution of not whitelisted software. This should prevent the execution of malware and therefore protect against advanced persistent threat (APT) attacks. In this talk we discuss the general security of such a concept and what holes are still open to attacks. After that, we focus on a product which can be used for application whitelisting to see the bypasses in practice. This will include different techniques to bypass application whitelisting to achieve code execution, bypass read- and write-protections as well as a discussion on user account control (UAC) bypasses on such protected systems. Moreover the security of the memory corruption protections will be discussed. At the end some product related design flaws and vulnerabilities will be presented.


Presenters:

  • René Freingruber - SEC Consult
    René Freingruber has been working as a professional security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering and exploit development. He also studies modern mitigation techniques and how they can be bypassed by attackers. In the course of that research he came across Microsofts Enhanced Mitigation Experience Toolkit and gave various talks about the (in)security of it at conferences such as RuxCon, ToorCon, ZeroNights, IT-Secx, DeepSec, 31C3 and NorthSec.

Links:

Similar Presentations: