SoylentNews is people
SoylentNews
As long as humans are writing software, there will be coding mistakes for malicious hackers to exploit. A single bug can open the door to attackers deleting files, copying credit card numbers or carrying out political mischief.
A new program called Shuffler [pdf] tries to preempt such attacks by allowing programs to continuously scramble their code as they run, effectively closing the window of opportunity for an attack. The technique is described in a study [pdf] presented this month at the USENIX Symposium on Operating Systems and Design (OSDI) in Savannah, Ga.
“Shuffler makes it nearly impossible to turn a bug into a functioning attack, defending software developers from their mistakes,” said the study’s lead author, David Williams-King, a graduate student at Columbia Engineering. “Attackers are unable to figure out the program’s layout if the code keeps changing.”
[...] Designed to be user-friendly, Shuffler runs alongside the code it defends, without modifications to program compilers or the computer's operating system. It even randomizes itself to defend against possible bugs in its own code.
The researchers say Shuffler runs faster and requires fewer system changes than similar continuous-randomization software such TASR [pdf] and Remix [pdf], developed at MIT Lincoln Labs and Florida State University respectively.
[...] On computation-heavy workloads, Shuffler slows programs by 15 percent on average, but at larger scales -- a webserver running on 12 CPU cores, for example -- the drop in performance is negligible, the researchers say
[Security through obscurity? --Bytram]
(Score: 5, Interesting) by FatPhil on Tuesday January 03 2017, @09:47AM
And what will it do to binaries which massively fork (in order to protect different parts of the program from each other, such as separate tabs in a browser)? Currently, all of the executable pages (a) are shared, and (b) don't need to be swapped, as they can be reread from the original binary. If each process mutates independently of each other, which is what "allowing programs to continuously scramble their code as they run" says to me, then this will massively increase RAM pressure, and when swapping kicks in, it'll kick in harder than it ever has before. I'm quickly persuading myself this is worse than useless.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: -1, Flamebait) by Anonymous Coward on Tuesday January 03 2017, @01:58PM
I'm quickly persuading myself you don't know what you are talking about.
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @02:03PM
RAM is dirt cheap. Sure this isn't appropriate in every situation. But any professional developer would already know that no tool works for every problem.
(Score: 3, Insightful) by Pino P on Tuesday January 03 2017, @02:52PM
RAM is dirt cheap. Sure this isn't appropriate in every situation.
And here are a couple examples of where it is likely not to be.
If the software is server-side: VPS operators, such as Amazon EC2, charge more for virtual machines with more RAM.
If the software is client-side: Home and small business users are often unwilling to pay for DIMMs and installation labor just to be able to use security updates. It's even worse if they'd have to buy a whole new machine because an existing machine has soldered-in RAM or is already using the largest DIMMs its chipset can recognize. Finally, numerous platforms offer no means of dynamic recompilation because their W^X policy prohibits a third-party application from allocating a writable page then flipping it from writable to executable. These reportedly include Windows Store, iOS, and video game consoles.
(Score: -1, Troll) by Anonymous Coward on Tuesday January 03 2017, @03:17PM
(Score: 0) by Anonymous Coward on Tuesday January 03 2017, @05:04PM
Why are you so interested in focusing on the places where it is not practical?
What's the point?
Why not focus on the places where it is practical?
Or even technologies that would make it more practical, like memory dedupe? [wikipedia.org]
Any fool can tear shit down. It takes knowledge and effort to build something useful.
(Score: 3, Insightful) by Pino P on Wednesday January 04 2017, @03:40AM
Why are you so interested in focusing on the places where it is not practical?
Because one of my jobs involves developing software for the devices that customers have, not the devices I wish they had. Thus I must squeeze software into a very small amount of memory.
technologies that would make it more practical, like memory dedupe
The objection is that Shuffler makes memory dedupe ineffective.