Skip to content

Home

Jump to bottom
noproto edited this page Apr 6, 2021 · 24 revisions
WhiteBeam Logo

WhiteBeam
Transparent endpoint security: Wiki


Latest Release Bounty $5,000 Chat

Overview

WhiteBeam is a cross platform, slim, and secure EDR (Endpoint Detection and Response) program. Core principles of our community-based solution are:

  1. Library interposition is the most effective way to stop malware: Introducing EDR software at the kernel level increases the attack surface of battle tested kernel code, requires the vendor to publish updated versions for each kernel release (which can take months delaying security fixes) and/or severely limit compatibility, and risks kernel instability. bcc/eBPF/uprobes are generally read-only (and therefore have fundamental race conditions in detection/response) and cannot operate in containers. Library interposition has excellent visibility, is capable of prevention, and runs in the same privilege context -- making WhiteBeam a difficult target for privilege escalation attacks.

  2. Given enough eyes, all bugs are shallow: The WhiteBeam client, protocol, and configuration are not obscured. You will not need to reverse engineer our software to guarantee it is as secure as we claim. In contrast with closed source software, we encourage hacking WhiteBeam. We have a bug bounty challenge server, run honeypots with WhiteBeam, and work alongside researchers to discover vulnerabilities. For more information, see the Security Policy.

  3. WhiteBeam is free for non-commercial use: The WhiteBeam client and managed solution is free for non-commercial use and works with local configuration. We separately offer an enterprise management server and support plans for WhiteBeam.

  4. Avoid redundant security: Consider a source URL of the whitelist stored in the client database. If the database is compromised and unauthorized entries are added, the source URL can just as easily provide misleading information. In other words, it was never another line of defense. It only serves to introduce more attack surface. Adding a footnote in the documentation that the source URL isn't trusted is also a bad practice, leading to..

  5. No confusing features or footguns: Advanced acronyms or language, features buried in the documentation, and introducing obscure ways to use WhiteBeam are all discouraged. Instead of "FD", use "FileDescriptor". Instead of "envp", use "Environment". Having clear, terse code is important to help security researchers understand and test it wherever possible.

Clone this wiki locally