IBM boffins claim to have developed a way to stop worms and viruses without using anti-virus software.
Instead, the Assured Execution Environment (AXE) takes a very strict approach to controlling what is run on the computer. AXE software is put into the operating system's kernel which then polices every piece of software run on the machine, checking that only authorised code is executed.
Unlike anti-virus software, AXE doesn't check for dangerous software but just prohibits any code unless it has been pre-configured into an AXE-friendly format - something the IBM researchers claims they can make it virtually impossible for spyware and virus writers to do.
"We are making every machine a unique OS," said the project's brainchild, Amit Singh. Singh. AXE works with both Windows and Mac OS.
Users or administrators can use a variety of techniques, including encryption, to ensure that unauthorised software could not be run without their permission. They could also use AXE to make sure that certain programs were only run on specific machines, or even use AXE techniques to make data unreadable, to keep Word or PowerPoint documents away from prying eyes.
The AXE developers say that because some users may not want to have every piece of software they run on their machine "blessed" by a central IT administrator, they've built some flexibility into the software's design. PCs can be configured to allow unknown software to run, but only when approved by the user, or they can set unknown software to run only in a virtual machine environment, where it can't do as much damage to the base operating system.
This idea of creating a "whitelist" of authorized applications is going to be more widely adopted by security vendors, because the traditional anti-virus technique of blocking known malware is simply becoming too unwieldy, said Yankee analyst Andrew Jaquith. "Whitelists are probably the way to go in the future," he said.
Other companies, such as SecureWave and Bit9, have taken a similar approach to security, he said.
The downside of whitelists, however, is that they can create a management headache because administrators have to get involved every time any software is updated. "If Microsoft sends out a hotfix, you're probably going to have to re-register those applications. The real question is not whether the technology works, but whether it's manageable."
IBM should have a better understanding of how manageable AXE really is by next year, when it is put in the hands of an early pilot customer.