There is a game called de Blob that has a pretty simple concept: move a blob around a city, run into a puddle of paint, and you turn into that color (or have that color mixed in with your current color.) Then when you run into a building, that building assumes the same color. So you're spreading different colors throughout a city, resulting in buildings and blocks hued red, orange, blue, green, etc. Simple but addictive, at least this is how the free version goes.
I thought about this game after attending a presentation at my local OWASP chapter that discussed the Process Coloring (PDF) project. It's similar to Perl Taint Mode. This project describes assigning a "color" (really a unique identifier) to processes at the syscall level. But I wondered if this could be used at a more abstract web application (e.g. .NET, J2EE, etc.) level when describing the rules of how objects interact.
From this presentation I took away two main advantages to Process Coloring.
- Intrusion Prevention: you assign each process (or object) a color, and define the rules for each color (e.g. red cannot interface with yellow, green can only interface with green, blue and yellow, etc.)
- Analysis: for log analysis, processes and events can be easily (and visually) grouped by color to quickly see the scope of the impact among other things.
What is most intriguing to me is being able to use both sides of the brain when it comes to web application security. Visually displaying volumes of data in an easily accessible and searchable way (e.g. the CNN Magic Wall used for election results) is the trend. Along these lines is SecViz; on this topic, a review of the book Applied Security Visualization was posted yesterday at Slashdot. Injecting some creativity into IT security encourages "out of the box" thinking, a valuable asset for discerning items of interest when establishing security, or during an investigation.
