Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday January 03 2017, @08:01AM   Printer-friendly
from the how-do-you-debug-it? dept.

As long as humans are writing software, there will be coding mistakes for malicious hackers to exploit. A single bug can open the door to attackers deleting files, copying credit card numbers or carrying out political mischief.

A new program called Shuffler [pdf] tries to preempt such attacks by allowing programs to continuously scramble their code as they run, effectively closing the window of opportunity for an attack. The technique is described in a study [pdf] presented this month at the USENIX Symposium on Operating Systems and Design (OSDI) in Savannah, Ga.

“Shuffler makes it nearly impossible to turn a bug into a functioning attack, defending software developers from their mistakes,” said the study’s lead author, David Williams-King, a graduate student at Columbia Engineering. “Attackers are unable to figure out the program’s layout if the code keeps changing.”

[...] Designed to be user-friendly, Shuffler runs alongside the code it defends, without modifications to program compilers or the computer's operating system. It even randomizes itself to defend against possible bugs in its own code.

The researchers say Shuffler runs faster and requires fewer system changes than similar continuous-randomization software such TASR [pdf] and Remix [pdf], developed at MIT Lincoln Labs and Florida State University respectively.

[...] On computation-heavy workloads, Shuffler slows programs by 15 percent on average, but at larger scales -- a webserver running on 12 CPU cores, for example -- the drop in performance is negligible, the researchers say

[Security through obscurity? --Bytram]


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by requerdanos on Tuesday January 03 2017, @02:25PM

    by requerdanos (5997) Subscriber Badge on Tuesday January 03 2017, @02:25PM (#448904) Journal

    “Attackers are unable to figure out the program’s layout if the code keeps changing.”

    But what about apt-get source the-program?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 3, Informative) by shipofgold on Tuesday January 03 2017, @02:49PM

    by shipofgold (4696) on Tuesday January 03 2017, @02:49PM (#448913)

    Sourcecode will tell you that a vulnerability exists, but exploiting it typically needs to manipulate the compiled binary. For example a stack overflow attack typically puts machine code into a variable which ends up overwriting the return value and jumping into some other portion of the code.

    If the code is shuffled that type of attack will be mitigated since the return address will be changing.

    This will certainly not eliminate all types of attacks, but those that rely on the manipulating the compiled binary code may be helped.