| 摘要: | 應用程式允許名單技術透過嚴格的存取控制控管,使系統只能執行經由企業或設備廠商所允許的合法程序。與過去傳統的拒絕名單技術概念相反,其目的即是打造端點系統上的最終防線,無論惡意程式經由什麼媒介或手段入侵,系統都只會執行被允許的程式,惡意程式在被啟動時就會被及時阻擋。
在當今數位化發展蓬勃的社會上,對資訊的安全保護意識不斷被推廣,除了應注意社交詐騙手法、小心來路不明的程式之外,若在使用的軟體有更新的版本或是補丁程式時應立即做更新也是非常重要的防護概念。因此,上述提到的應用程式允許名單防護技術也會面臨軟體更新的問題,儘管是對於部署在穩定、少變動的生產線機臺環境的允許名單而言,允許名單政策也總會有需要更新或維護應用程式版本的一天。
然而,近年來發生震驚社會的供應鏈攻擊,即便是信譽良好的供應商所使用的數位簽章保護,也可能遭受盜用而讓更新環境暴露在風險之中。如 ASUS Live Update 或 Solarwinds 攻擊事件,兩件事件被駭客入侵的手法皆利用軟體更新,將惡意程式散佈至端點系統之中。由於一般應用程式允許名單為了要讓允許清單內的應用程式做有效更新,都會將軟體供應商視為可信任的更新方,讓軟體供應商發佈的程式更新能夠自動更新至清單之中,這樣的作法讓上述兩種攻擊有效地透過更新而將惡意程式順利的新增進允許名單中。由此可見,軟體更新是必要的,但更新來源內容的安全性也不可忽視。因此,本研究針對允許名單與應用程式更新做了研究,提出了能讓應用程式允許名單更新時確保更新來源可信度的方法,取名叫CCS。此方法基於非所有系統都同時被竄改過的假設,透過比對多個更新資源的作法,將可疑的更新內容過濾排除,收集可被信任的更新資源並提供給應用程式允許名單做更新使用。實驗結果顯示出,CCS能夠有效過濾可疑檔案,並且可信任更新資源亦能更新至應用程式允許名單且正確無誤的執行。;The application allowlist technology uses strict access control so that the system can only execute legal procedures permitted by the enterprise or equipment manufacturer. Contrary to the traditional concept of denylist technology in the past, its purpose is to create the ultimate line of defense on the endpoint system. No matter what medium or paths the malicious program is invaded, the system will only execute the allowed program and the malicious program will be blocked in time when it is activated.
In today′s thriving digital society, the awareness of information security protection is constantly being promoted. In addition to social fraud and beware of unknown programs, it is also very important to update the software immediately when it has an updated version or patch program. Therefore, the application allowlist protection technology will also face the problem of a software update. Even though the allowlist is deployed in a stable and less-changing production line machine environment, the policy rules or the application lists will always need to be maintained and updated to a newer application version.
However, in recent years, there have been many supply chain attacks that affect the update server that shocked society. Even the digital signature protection used by reputable suppliers may be misappropriated and expose the update environment to risk. For example, in the ASUS Live Update or Solarwinds attacks, the two hacking methods used software updates to spread malicious programs to the endpoint systems.
In order to allow the applications in the general application allowlist to be effectively updated, the software supplier will be regarded as a trusted updater, so that the program updates issued by the software supplier can be automatically updated to the application list in the allowlist. But this approach caused the above two attacks to effectively add malicious programs to the allowlist and without checking. We can know that software updates are necessary, but the security of the update source′s content cannot be ignored. Therefore, this research focuses on the allowlist and application update, and we proposed a method to ensure the credibility of the update source when the application allowlist is updated, named Credibility Checking Service (CCS).
CCS assumes that not all systems have been tampered with at the same time. By comparing multiple update resources, suspicious update content is filtered out, and trusted update resources are collected and provided to the application allowlist for update use. The experimental results show that CCS can effectively filter suspicious files, and trusted update resources can also be updated to the application allowlist and executed correctly. |
