skip to main content
10.1145/2420950.2420992acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article

CodeShield: towards personalized application whitelisting

Published: 03 December 2012 Publication History

Abstract

Malware has been a major security problem both in organizations and homes for more than a decade. One common feature of most malware attacks is that at a certain point early in the attack, an executable is dropped on the system which, when executed, enables the attacker to achieve their goals and maintain control of the compromised machine. In this paper we propose the concept of Personalized Application Whitelisting (PAW) to block all unsolicited foreign code from executing on a system. We introduce CodeShield, an approach to implement PAW on Windows hosts. CodeShield uses a simple and novel security model, and a new user interaction approach for obtaining security-critical decisions from users. We have implemented CodeShield, demonstrated its security effectiveness, and conducted a user study, having 38 participants run CodeShield on their laptops for 6 weeks. Results from the data demonstrate the usability and promises of our design.

References

[1]
A. Apvrille, D. Gordon, S. Hallyn, M. Pourzandi, and V. Roy. Digsig: Runtime authentication of binaries at kernel level. In Proceedings of the 18th USENIX conference on System administration, pages 59--66, Berkeley, CA, USA, 2004. USENIX Association.
[2]
BIT9. Bit9 parity suite: Adaptive application whitelisting. http://www.bit9.com/products/bit9-parity-suite.php.
[3]
J. C. Brustoloni and R. Villamarín-Salomón. Improving security decisions with polymorphic and audited dialogs. In SOUPS, pages 76--85, 2007.
[4]
K. R. Butler, S. McLaughlin, and P. D. McDaniel. Rootkit-resistant disks. In CCS '08, pages 403--416, New York, NY, USA, 2008. ACM.
[5]
M. Corporation. Kernel data and filtering support for vista sp1 / windows server 2008. MSDN.
[6]
L. F. Cranor. A framework for reasoning about the human in the loop. In Proceedings of the 1st Conference on Usability, Psychology, and Security, pages 1:1--1:15, Berkeley, CA, USA, 2008. USENIX Association.
[7]
D. Erickson, M. Casado, and N. McKeown. The effectiveness of whitelisting: a user-study. In Conference on Email and Anti-Spam, 2008.
[8]
B. Fathi. Engineering windows 7, October 2008. MSDN blog on User Account Control.
[9]
S. Furnell, A. Jusoh, and D. Katsabas. The challenges of understanding and using security: A survey of end-users. Computers & Security, 25(1): 27--35, 2006.
[10]
J. Jang, D. Brumley, and S. Venkataraman. Bitshred: feature hashing malware for scalable triage and semantic analysis. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 309--320, New York, NY, USA, 2011. ACM.
[11]
G. H. Kim and E. H. Spafford. The design and implementation of tripwire: a file system integrity checker. In Proceedings of the 2nd ACM Conference on Computer and communications security, CCS '94, pages 18--29, New York, NY, USA, 1994. ACM.
[12]
M. Labs. Mcafee threats report: Third quarter 2011, Nov. 2011. White paper from McAfee.
[13]
N. Leavitt. Internet security under attack: The undermining of digital certificates. Computer, 44: 17--20, 2011.
[14]
L. Lu, V. Yegneswaran, P. Porras, and W. Lee. Blade: an attack-agnostic approach for preventing drive-by malware infections. In ACMCCS '10, pages 440--450, New York, NY, USA, 2010. ACM.
[15]
McAfee. Application control. http://www.mcafee.com/us/products/application-control.aspx.
[16]
Microsoft. Applocker. http://technet.microsoft.com/en-us/library/dd548340.
[17]
Y. Miretskiy, A. Das, C. P. Wright, and E. Zadok. AVFS: An on-access anti-virus file system. In Proceedings of the 13th USENIX Security Symposium (Security 2004), pages 73--88, San Diego, CA, August 2004. USENIX Association.
[18]
S. Motiee, K. Hawkey, and K. Beznosov. Do windows users follow the principle of least privilege?: investigating user account control practices. In SOUPS, 2010.
[19]
J. Oberheide, E. Cooke, and F. Jahanian. CloudAV: N-Version Antivirus in the Network Cloud. In Proceedings of the 17th USENIX Security Symposium, San Jose, CA, July 2008.
[20]
F. Raja, K. Hawkey, P. Jaferian, K. Beznosov, and K. S. Booth. It's too complicated, so I turned it off!: expectations, perceptions, and misconceptions of personal firewalls. In SafeConfig '10, pages 53--62, New York, NY, USA, 2010. ACM.
[21]
R. Shein. Chapter 1: Whitelisting for Endpoint Defense, pages 3--14. Auerbach Publications, 2011.
[22]
R. Shein, H. F. Tipton, and M. Krause. Information Security Management Handbook, Sixth Edition, Volume 5. Auerbach Publications, 2011.
[23]
S. Sheng, B. Magnien, P. Kumaraguru, A. Acquisti, L. F. Cranor, J. I. Hong, and E. Nunge. Anti-phishing phil: the design and evaluation of a game that teaches people not to fall for phish. In SOUPS, pages 88--99, 2007.
[24]
O. Sukwong, H. S. Kim, and J. C. Hoe. Commercial antivirus software effectiveness: An empirical study. IEEE Computer, 44(3): 63--70, 2011.
[25]
R. Villamarín-Salomón and J. C. Brustoloni. Using reinforcement to strengthen users' secure behaviors. In CHI, pages 363--372, 2010.
[26]
Y. Wang, R. Agrawal, and B.-Y. Choi. Light weight anti-phishing with user whitelisting in a web browser. In Proceedings of IEEE Region 5 Conference, pages 1--4, Apr. 2008.
[27]
R. Wash. Folk models of home computer security. In SOUPS '10, pages 11:1--11:16, New York, NY, USA, 2010. ACM.
[28]
Y. Wu and R. H. C. Yap. Towards a binary integrity system for windows. In ASIACCS '11, pages 503--507, New York, NY, USA, 2011. ACM.
[29]
G. Wurster and P. C. van Oorschot. Self-signed executables: restricting replacement of program binaries by malware. In Proceedings of the 2nd USENIX workshop on Hot topics in security, pages 8:1--8:5, Berkeley, CA, USA, 2007. USENIX Association.
[30]
H. Xia and J. C. Brustoloni. Hardening web browsers against man-in-the-middle and eavesdropping attacks. In WWW, pages 489--498, 2005.

Cited By

View all
  • (2024)A SLAHP in the Face of DLL Search Order HijackingUbiquitous Security10.1007/978-981-97-1274-8_12(177-190)Online publication date: 13-Mar-2024
  • (2023)Edge Computing: Architecture, Application, Opportunities, and Challenges2023 3rd International Conference on Technological Advancements in Computational Sciences (ICTACS)10.1109/ICTACS59847.2023.10390171(695-702)Online publication date: 1-Nov-2023
  • (2018)Prevention of Ransomware Execution in Enterprise Environment on Windows OS: Assessment of Application Whitelisting Solutions2018 1st International Conference on Data Intelligence and Security (ICDIS)10.1109/ICDIS.2018.00024(110-118)Online publication date: Apr-2018
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ACSAC '12: Proceedings of the 28th Annual Computer Security Applications Conference
December 2012
464 pages
ISBN:9781450313124
DOI:10.1145/2420950
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

  • ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2012

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Research-article

Funding Sources

Conference

ACSAC '12
Sponsor:
  • ACSA
ACSAC '12: Annual Computer Security Applications Conference
December 3 - 7, 2012
Florida, Orlando, USA

Acceptance Rates

ACSAC '12 Paper Acceptance Rate 44 of 231 submissions, 19%;
Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)19
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)A SLAHP in the Face of DLL Search Order HijackingUbiquitous Security10.1007/978-981-97-1274-8_12(177-190)Online publication date: 13-Mar-2024
  • (2023)Edge Computing: Architecture, Application, Opportunities, and Challenges2023 3rd International Conference on Technological Advancements in Computational Sciences (ICTACS)10.1109/ICTACS59847.2023.10390171(695-702)Online publication date: 1-Nov-2023
  • (2018)Prevention of Ransomware Execution in Enterprise Environment on Windows OS: Assessment of Application Whitelisting Solutions2018 1st International Conference on Data Intelligence and Security (ICDIS)10.1109/ICDIS.2018.00024(110-118)Online publication date: Apr-2018
  • (2015)Certified PUPProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security10.1145/2810103.2813665(465-478)Online publication date: 12-Oct-2015
  • (2014)A Virtualization-Based Approach for Application WhitelistingIEICE Transactions on Information and Systems10.1587/transinf.E97.D.1648E97.D:6(1648-1651)Online publication date: 2014

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media