| dc.description.abstract | The application allowlist technology uses strict access control so that the system can only execute legal procedures permitted by the enterprise or equipment manufacturer. Contrary to the traditional concept of denylist technology in the past, its purpose is to create the ultimate line of defense on the endpoint system. No matter what medium or paths the malicious program is invaded, the system will only execute the allowed program and the malicious program will be blocked in time when it is activated.
In today′s thriving digital society, the awareness of information security protection is constantly being promoted. In addition to social fraud and beware of unknown programs, it is also very important to update the software immediately when it has an updated version or patch program. Therefore, the application allowlist protection technology will also face the problem of a software update. Even though the allowlist is deployed in a stable and less-changing production line machine environment, the policy rules or the application lists will always need to be maintained and updated to a newer application version.
However, in recent years, there have been many supply chain attacks that affect the update server that shocked society. Even the digital signature protection used by reputable suppliers may be misappropriated and expose the update environment to risk. For example, in the ASUS Live Update or Solarwinds attacks, the two hacking methods used software updates to spread malicious programs to the endpoint systems.
In order to allow the applications in the general application allowlist to be effectively updated, the software supplier will be regarded as a trusted updater, so that the program updates issued by the software supplier can be automatically updated to the application list in the allowlist. But this approach caused the above two attacks to effectively add malicious programs to the allowlist and without checking. We can know that software updates are necessary, but the security of the update source′s content cannot be ignored. Therefore, this research focuses on the allowlist and application update, and we proposed a method to ensure the credibility of the update source when the application allowlist is updated, named Credibility Checking Service (CCS).
CCS assumes that not all systems have been tampered with at the same time. By comparing multiple update resources, suspicious update content is filtered out, and trusted update resources are collected and provided to the application allowlist for update use. The experimental results show that CCS can effectively filter suspicious files, and trusted update resources can also be updated to the application allowlist and executed correctly. | en_US |