Execution Control Lists: An Approach to Defending Against New and Unknown Malicious Software

摘要

The execution management utility provides security-conscious administrators with a valuable defense against the introduction of new and potentially malicious code. It ensures that no user can execute a program (knowingly or unknowingly) without the explicit consent of the administrator. This greatly reduces the threat posed by viruses, Trojan horses, and even malicious insiders. In addition to security considerations, the EMU also provides control over the distribution of illegally-obtained applications and the use of entertainment programs on corporate resources. There are numerous EMU features that make it manageable at the enterprise level, including centrally-managed execution control lists and client-server communication. The kernel based wrapping approach ensures the non-bypassability of the EMU and results in negligible performance overhead. Security features incorporated in the EMU ensure that even a malicious adversary cannot circumvent the execution management utility's execution control lists. It is important to note that our approach is not a substitute for security protection technologies such as malicious code scanners and sandboxing techniques. Rather, our approach can work together with other techniques. For instance, if a user receives an unknown executable it will be denied execution by the EMU client. The user may then request an administrator permission to run the unknown executable. A system administrator can scan the code against a virus scanner or malicious code classifier. Furthermore, the administrator can choose to run the unknown executable within a sandboxed environment in order to determine if it is trustworthy. If the administrator decides the application can be trusted, then she may subsequently add the executable to the user's ECL to allow future execution. The important protection our approach provides is a first line of defense against users running unknown and possibly malicious executables. Although malicious software inspires our approach, our solution also addresses other problem domains. The execution management utility can assist corporations by enforcing policies regarding the use of unauthorized, unlicensed or pirated software. Games and entertainment software, or even non-standard utilities (e.g., Napster, Gnutella, monitoring utilities like SpectorSoft, eBlaster, and advertising-enhanced browsers such AllAdvantage.com), can be banned or carefully controlled.