# Application Whitelisting



## Phishfry (Apr 12, 2018)

I was reading an article about security and I was wondering:
Can FreeBSD do application whitelisting?

https://www.computerweekly.com/news/252438775/NSA-calls-for-cyber-security-community-collaboration


----------



## ShelLuser (Apr 13, 2018)

As far as I know this isn't supported in FreeBSD. You might want to look into Veriexec which is a system supported by NetBSD.


----------



## Phishfry (Apr 13, 2018)

So to build an application firewall you would have to go to the heart of applications and this would be the "process".
Every running process has a PID.
So you would need a whitelist of allowed processes and somehow auto sigHUP any not on the list.


----------



## SirDice (Apr 13, 2018)

Phishfry said:


> So you would need a whitelist of allowed processes and somehow auto sigHUP any not on the list.


No, it should prevent the process from executing in the first place. That means diverting execve(2) and any other call that's able to start processes. But it's not going to be easy. What if applicationX is allowed and applicationY isn't, what's stopping me from simply renaming Y to X?


----------



## VladiBG (Apr 13, 2018)

There's something similar on Windows that i'm using on my windows client computers. It's called AppLocker. Before run the application AppLock service check the hash of the application and the application certificate and if it match to the allowed list then the user can run it otherwise it's blocked so even if you rename the application from Y to X it will still have the same hash. If you modify the content of the binary for example add some garbage to the end then you will brake the application certificate and again you will be not able to start it. It's hard to monitor all different versions of the specific software that's why using only application certificate restriction is enough for example you can tell only applications that have valid M$ certificate can be started.


----------



## SirDice (Apr 13, 2018)

Yeah, hashes would definitely prevent the rename trick from working. But this poses new problems, you have to manage those hashes somehow. With fixed binaries this is fairly easy, the same binary runs on all computers. But with open source even a small change in compiler options can result in a different hash. So you would need to fix them during ports building and add those to the package. But that means I could build a rogue package that changes the hashes. Signing might also be a solution but that also has problems if you build from ports.

The idea isn't new but it's going to be difficult to implement this for open source systems.


----------

