Executable Allowlisting
Definition
Using a digital signature to authenticate a file before opening.
Synonyms: File Signature Authentication .How it works
This technique is generic and there are numerous ways to compute and authenticate digital signatures. A digital certificate is generated from a private/public key pair issued by a certificate authority (CA). A hash of the file is encrypted using the private key. When the file is downloaded by another user, the user's system uses the public key to decrypt the hash and a new hash is created of the downloaded file. The hash decrypted by the public key is compared to the new hash and if there is a mismatch, further techniques, such as file deletion, file quarantine, or Executable Blacklisting may be invoked.
This technique may be invoked when deciding whether to execute a file.
Considerations
Organizations which download or create high volumes of software make management complex, in particular engineering or scientific organizations.
References
The following references were used to develop the Executable Allowlisting knowledge-base article.
(Note: the consideration of references does not imply specific functionality exists in an offering.)
Computing apparatus with automatic integrity reference generation and maintenance
Enhancing Network Security By Preventing User-Initiated Malware Execution
MITRE Comments
This paper describes application whitelisting. New software executable code is compared to a database of allowed software to determine if the new executable code should be loaded and executed. A database of cryptographic hashes is first created for all allowed software executables. Prior to loading any new executable code, a hash is computed and compared against the hash database. If the hash for the new code does not appear in the database, the executable is not loaded and executed.