Whitelisting, Blacklisting, and Deep Freeze
By Bill Gray, Senior Systems Engineer, Dedicated Computing
You want to keep your embedded system secure, so you decide to install a virus scanner. However, the device does not have an internet connection, and you can't afford to send a service person to update the virus definitions as often as is needed, so is it really worth it? There are three approaches to safeguarding your device; understanding which practice best fits your system will lower costs and ensure your device is secure.
Typical virus scanners use a blacklisting technology where a list of code signatures is kept -- and when any code includes those signatures the application is quarantined. Utilizing a blacklisting approach on embedded systems has a number of downsides, including the frequency of updates for true protection, or performance impacts to the quarantined system can be significant.
Whitelisting, on the other hand, needs no virus definition updates, has no impact on performance, and only allows what has been defined as “good” to be executed, with no other applications being impacted. An operator using an embedded system will not be allowed to run any rogue code and will not be allowed to infect the embedded system.
Anti-virus products work by creating a list of programs and code signatures that are known to contain rogue software and then search an operating system, including its file system and memory space. The anti-virus engine can often identify and compartmentalize software just after having been executed, in (somewhat) real-time. Anti-virus databases must be updated often to address the most recent malware and exploits. Zero-day vulnerabilities software that has yet to be fixed or otherwise identified as susceptible by the community at large, are impervious to anti-virus products.
Whitelisting is a technology opposite to the implementation of anti-virus scanning techniques. Instead of locating and removing known vulnerabilities, the whitelisting approach simply refuses to load and execute any file not already allowed. This is accomplished by creating within a secure environment, a list of files (executable or otherwise) and their respective cryptographic checksums. A whitelisting kernel driver or shim is loaded during boot and is responsible for intercepting all filesystem reads/writes. For a file to be successfully loaded, it must first pass all security restrictions implemented by the whitelisting product. The result is a secure system that has no performance impacts, needs no virus definition updates, and can protect against zero-day attacks. Blacklisting is a perfect fit for general purpose computing. Purpose-specific computing, on the other hand, must operate without IT oversight, and do so within very specific operating requirements - making whitelisting a highly effective security solution for an embedded system.
Another approach to protecting the state of a deployed system is accomplished through a product called Deep Freeze. Deep Freeze is a proprietary software product developed by Faronics, available for Microsoft Windows and macOS operating systems. The software protects the operating system (at the hard drive level) by implementing a mechanism similar to Copy-on-Write. In this environment, the user is not allowed to modify the hard drive contents (OS or data, per configuration directives) and all changes are redirected to an overlay filesystem, most likely residing in main memory. On reboot, all changes are lost, and the operating system reverts back to the original state. Changes can be accomplished by first removing the protection mechanism (a process called "thawing"), making the necessary OS changes and then applying the lock ("freeze").
Deep Freeze does not protect the system from running malicious software after a reboot. This protection scheme does not protect a user from using alternative bootable media (e.g. USB flash drive) which would allow modifications to the "frozen" operating system drive contents.