At Least This Snake Oil Is Free

Snake oil, for those that are not familiar with the U.S. English vernacular, is a derogatory term for some product that makes unverifiable or exaggerated claims.

True to the tradition, we now find "Vista Firewall Control," complete with a PC World article that includes not only incorrect descriptions of the Windows Vista Firewall, but exaggerated and bogus claims of value, including "All in all, VistaFirewallControl is a great way to make sure your PC isn't making unwanted outbound connections."

No. It is not. There is only one great way to make sure your PC isn't making unwanted outbound connections.

There are several serious flaws in the reasoning that outbound, host-based firewalls will actually stop attacks. The one that seems to elude everyone that claims a piece of software can stop arbitrary other pieces of softare from making outbound connections is that all software running within the same user context can control any other software within the same user context. Put more simply, if you permit any application to communicate out, over any port, then any other piece of software you execute as the same user can communicate out over that same port.

Let's say you run application A, a web browser. The browser runs as you, user Bob, who is a standard user. The browser tries to connect to some server, and the outbound host-based firewall detects that and asks if you wish to permit it. If the administrator has enabled it, you can permit that yourself, otherwise you may need an administrative account to do it. For the sake of argument, let's say you can enable it yourself. More than likely, you would enable it to connect to all web servers, since a web browser is far more useful that way.

Now some distant friend of yours, Paul, e-mails you this cool app he found, and you run it. The application gathers up all your stored passwords, your Microsoft Money file, all your recent e-mail messages, and any documents you have access to. It then needs to send this stuff to the criminals, but, the outbound host-based firewall would stop it, right? No. The malicious application could do a couple of things. First, if you have the ability to open outbound ports the application, running as you, could just open the ports it needs, transfer the data, and close them again.

Let's say, however, that you would have to ask your administrator to open ports (notwithstanding the fact that no administrator, and no user, would ever put up with that in the long run). That would stop the malicious application, right? No. That won't work either. The application would simply look for some other application that can communicate outbound. It would find that the web browser can do so. Cool. The malicious application would launch the web browser, which opens the hole in the firewall, attach to it using standard debugging techniques, and then ask the web browser to take the neatly packaged information it stole and send it to whereever it wants. This would be done by simply injecting code into the running web browser. The web browser, essentially unaware that this was even happening, would go ahead and do it. The host-based outbound firewall would only know that the web browser sent some data out, which it is permitted to do, and would not take any action to stop it.

Since there is no application isolation between applications running within the same user context there is no real way to prevent this from happening. Only by completely re-architecting Windows could this be prevented, and even then, it would only truly work if everything we know about computers, from the hardware on up, changed fundamentally. The Trusted Computing Platform and Microsoft's Next Generation Secure Computing Base (NGSCB) initiatives of several years ago were originally designed to achieve that, but the aims have since been scaled down significantly, at least in the tactical term.

This is only one reason why presenting host-based outbound firewalls as a protective measure against malware is pure snake-oil. There are several others as well, but rather than repeat them again here, you can just read some things I have written in the past, such as a post in my old blog, an article in TechNet Magazine, and of course, a rather lengthy discussion in the Windows Vista Security book.

Does that mean that all outbound host-based firewall filtering is meaningless? No, it does not. Host-based outbound filters can make it more difficult to communicate out for applications which cannot (easily) get other applications to do their evil bidding for them. Windows Vista already does that by default with services. It can also be used to prevent accidental disclosure. For example, you can block outbound SMB connections on public networks. SMB, or Windows file sharing, should not be used outside a confined network environment anyway. Blocking it on public networks can prevent a user from accidentally connecting to a file server on the Internet and performing a challenge-response authentication, thereby volunteering an authentication sequence that can be cracked. Of course, with Windows Vista, the challenge-response protocols used are far stronger by default than in previous versions of Windows, but nevertheless, putting such a filter in place provides a measure of defense in depth against accidents and should have no adverse application compatibility impact. I covered both of these benefits in greater depth in the Windows Vista Security book.

However, the existence of some benefit from outbound host-based firewall controls does not in any way make such controls "a great way to make sure your PC isn't making unwanted outbound connections."

Published 19 July 2007 09:33 PM by jesper
Filed under: , ,

Comments

# Karl Levinson said on 26 July, 2007 07:31 PM

Definitions of snake oil usually mention the cure being worthless as part of the definition.  As you point out near the end of the post, outbound host-based firewall filtering is NOT worthless.  But the sentences mentioning snake oil leave the reader with the wrong impression that such filtering is worthless.  

Such filtering is not 100% effective, but neither are antivirus or firewalls or most every other countermeasure.  Such filtering 1) raises the bar that malware must surpass and 2) offers an opportunity for the OS to detect and alert when the firewall is modified or bypassed in certain ways, even if it cannot prevent it.  

Also, host-based firewall settings can become somewhat more secure from tampering if it is run in a security context other than the current user or some form of user authentication, CAPTCHA, etc. is required to modify settings.  If these don't apply to the way Windows Firewall implements outbound filtering, well, maybe they should?

The current Windows architecture lets even malware running as GUEST bind an executable to a listening TCP/IP port, something *nix can prevent.  So, at this point I'll take pretty much any kind of user access control on TCP/IP that I can get out of MS Windows, whether it's robust or not.

# Chris Quirke said on 27 July, 2007 07:15 AM

Process monitoring (Task Manager, firewalls, etc.) has two other generic flaws.

The first is the "glove puppet" effect, when a generic wrapper such as SVCHost or RunDLL is the reported process, or a process is open to plugins and automation as is the case with web browsers.

The second is code within an ADS, which is typically reported as the base file.  Because ADS code is not within the base file, an MD5 check of the base file will be meaningless.  IMO, code should not be run from ADS and any resident OS service that processes ADS should strip all code when found.

Leave a Comment

(required) 
(required) 
(optional)
(required)