A few weeks ago I spent an intriguing afternoon in the basement of Dan Teal, Founder and CTO of CoreTrace. While that might sound as though we were reviewing his private treasury of Civil War memorabilia, or his collection of antique farm implements or whatever, he was actually giving me a demonstration of Bouncer, the product he and his team at CoreTrace has built. He just happens to be able to do that from home and it was more fun than simply sitting in the boardroom and watching a canned demo.

The Role of Whitelisting

So what is Bouncer? I’m tempted to refer to it as a whitelisting capability, but to be honest it goes beyond whitelisting, and it heads off in a direction of which I approve. So let’s begin this by discussing whitelisting and the real reason for The AVID Campaign that I ran for 18 months, until the AV industry was forced to take notice and change direction.

The AVID campaign was a drumbeat aimed at repeatedly drawing attention to the fact that the primary IT security product, AV software, was inadequate and also, based on the wrong idea. Because I needed to run the campaign as a drumbeat, I rarely came right out and made the “defining point”. The defining point about IT Security is this.

You cannot break into a computer from a remote location and achieve anything at all without executing a process.

It’s also almost impossible to do anything without executing a process, even if you’re actually in the same room as the computer, but at least then you have the added possibility of physically taking it apart and, depending on how the computer works, you may be able to get at data somehow. Remotely you have no chance whatsoever without executing a process. Period. It really is that simple.

And consequently, in order to prevent intruders doing dastardly things directly (or indirectly through viruses), what you need to do is authenticate the software that is allowed to run and let nothing else run. Anti-virus is a poor IT Security solution because it doesn’t do that. Instead it tries to spot software it thinks is bad. Anti-virus comes from a bygone era and that is where it belongs. It is not enough to just recognize rogue software.

Neither is it enough to add behavioral recognition to AV software. That will improve things quite a lot, because it will trap a good deal of the rogue software that standard AV will miss, but unfortunately there are many pieces of software that can do dastardly things that are a legitimate part of the operating system. We have to do better than that.

So we come to whitelisting. Whitelisting is the implementation of software authentication. You start by authenticating a clean version of all the software you intend to use and then you don’t let any other software run except in a sandbox until it has been authenticated. There are different approaches to whitelisting, but the differences are in how you implement and how you authenticate. From a theoretical standpoint, all whitelisting products take the same approach.

Bouncer and The Globalization of Permissions

Bouncer is too complex a product for me to describe in a single posting, so just think of it as a whitelisting capability and I’ll describe three elements of it which I find impressive and which take it a little further than whitelisting normally goes.

  1. Bouncer is designed as if it were an invisible root kit that is injected into the OS at the highest priority point and the earliest possible point after boot up. Basically it is designed to get in before anything else can and be invisible in every way. You will never know it is there and (in theory at least) it will never show up in any diagnostics of any kind.
  2. Bouncer implements its sandbox and its whitelist directly by controlling and enforcing permissions. Bouncer can prevent all other processes from making changes to permissions. It can have total control. In other words it owns the local permission system completely and cannot be usurped.
  3. Bouncer runs from sealed servers which self-protect and which can be configured to run in a fault-tolerant manner. It thus enforces a complete separation of concerns. You could say that, in a kind of metaphorical way, it virtualizes and globalizes the permissions system so that the IT Security of a network can be defined as a set of policies that are implemented by a separate system that oversees the corporate network.

So is Bouncer a whitelisting product? I’d say not. It’s more like an IT Security platform and it marks out the direction in which I believe other whitelisting products will inevitably evolve.