1

Host Intrusion Prevention Software can restrict applications from taking certain actions regardless if they have the privileged to do so as assigned by the operating system.

Given that with the use of HIPS applications can be significantly restricted and a principle of least privilege enforced (somewhat), can HIPS software be considered somewhat equivalent to a MAC implementation?

AviD
  • 72,138
  • 22
  • 136
  • 218
Sonny Ordell
  • 3,476
  • 9
  • 33
  • 56

1 Answers1

2

No, HIPS is fundamentally different than MAC.

Mandatory access control (MAC) systems try to provide a robust foundation for security on your machine. MAC systems are generally intended to provide a high level of assurance: they are based upon a rigorous mathematical theory, they try to provide strong guarantees, and they are intended to be secure even if the attacker knows how the MAC system works. In general, MAC systems are generally intended to be very difficult for attackers to defeat.

Host-based intrusion prevention software (HIPS) tries to provide a best-effort mitigation against some common methods of compromising machines. HIPS doesn't provide make any guarantees. HIPS is not based upon any rigorous theory; instead, it is based upon a characterization of common methods that attackers tend to use. A sophisticated attacker who is familiar with your HIPS can likely evade detection by the HIPS and render the HIPS worthless, but that is generally considered OK, because that is not the kind of threat that HIPS is primarily aimed at preventing. HIPS are based upon host-based intrusion detection (HIDS) systems, which make a best effort to detect what attacks they can; the difference between HIDS and HIPS is that HIDS just detects (some) attacks, whereas a HIPS is a HIDS that also has some mechanism to try to stop any attack that the HIDS detects. Since HIDS systems never claimed to be able to detect all attacks, it will also be true that HIPS systems cannot prevent all attacks. The upside is that HIPS is a lot easier to deploy on a legacy system -- but it provides a much lower level of security, and a lower level of assurance.

Or, if you want to think in terms of an analogy: HIPS systems are like a blacklist. MAC systems are like a whitelist. Whitelists provide stronger security, but are also more restrictive, and thus blacklists may be easier to deploy.

In short, MAC and HIPS are in a different league from each other. They're not in competition with each other, because MAC is intended and designed for a different context than HIPS.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • Thanks for the answer. I'm still a but unsure however. I was looking at stuff like McAfee Entercept which seemed to be able to protect and limit applications in a similar way to SELinux or AppArmor can. For example denying a program access to certain directories and such despite the OS giving permission. That is why I thought there may be some similarity even if purely practical. – Sonny Ordell Nov 26 '11 at 15:20
  • I think of SELinux and AppArmor more as centrally-configured application sandboxing systems, rather than as MAC systems (though of course they can be characterized either way). SELinux and AppArmor are medium-assurance systems (unlikely many other MAC systems, which are intended for high assurance). That aside, many of the comments about MAC in my answer do apply to SELinux and AppArmor. – D.W. Nov 26 '11 at 23:01
  • OK, but when I look at something like McAfee HIPS and compare it to say AppArmor, the seem to have a lot of similarities practically in how they can restrict applications. Purely practically I see quiet a lot on common, or am I misunderstanding things here? – Sonny Ordell Nov 28 '11 at 16:04
  • I don't know the technical innards of McAfee Entercept well enough to get into technical details about it, but generally speaking, most HIPS are derived from a HIDS, which as I explain in my answer, are only intended to serve as a best-effort attempt at detecting some intrusions. In contrast, AppArmor was designed to enforce a sandboxing policy -- which has the potential to provide higher assurance than a standard HIPS. If you want to know more about Entercept, it may help to provide more technical information about how it works. – D.W. Nov 28 '11 at 20:13
  • Entercept has actually been discontinued and the product is just called HIPS now. It seems these HIPS products, at least the ones for desktops, seem to do a similar thing to AppArmor and provide sandboxing and restrict applications from doing things they shouldn't in the event of an attack. In this way I am finding it hard to see the differences from a practical point of view. – Sonny Ordell Nov 30 '11 at 14:55
  • @Sonny, thanks, I did not know that. Perhaps HIPS has become just a marketing term with little technical meaning these days. – D.W. Dec 01 '11 at 04:22