revisiting the 3 preventative paradigms

i've been thinking about the 3 preventative paradigms lately [actually i found this languishing in my drafts pile since jan '09].

framing the 3 preventative paradigms

in the ideal case:
  1. a blacklist blocks access to a protected resource for things/actions that are bad
  2. a whitelist blocks access to a protected resource for those things/actions that are not good
  3. a sandbox blocks access to a protected resource unconditionally, offering a comparable low-value alternative resource as a surrogate
as you can see, this covers all conceivable options except the degenerate case of no prevention where access to the protected resource is not blocked under any circumstance (though realistically we can ignore this case when we're talking about prevention).

balancing the 3 preventative paradigms

the world is not an ideal place, however, and those cases cannot be implemented perfectly:
  1. the halting problem prevents us from implementing a perfect blacklist and limits us to only blocking things/actions that are known to be bad, thus leading to the so-called reactive nature of blacklists
  2. while the halting problem does affect whitelists in the same way, whitelists actually benefit in a way from being limited to only known things/actions. however the generality of interpretation prevents us from implementing perfect whitelists (as the security world is bound to discover when whitelisting finally crosses the chasm) because we will only ever be able to apply application whitelisting to known program types and thus will have to react whenever we discover a new program type being abused.
  3. while the generality of interpretation may make it difficult to know when a sandbox needs to be used, what prevents sandboxes from being perfect when they are used (baring implementation failures that lead to unaided sandbox escape) is the need to share data (across the barrier erected by the sandbox) that is inherent to the division of labour, not to mention a variety of other useful and interesting things we do with computers.
thus with blacklists handling everything known to be bad, whitelists handling everything known to be good, and sandboxes handling everything in between, one might naively consider prevention to be a done deal; but with each one having problems that the others can't fully compensate for there will always be those edge cases that slip through and demonstrate that prevention is only the beginning of what a defender must consider.