Posted in: IBM Research-Haifa, Security

It’s always harder to hack a moving target

Fady Copty, Ayman Jarrous

Fady Copty and Ayman Jarrous, senior researchers at IBM Research – Haifa

This blog post was authored by Ayman Jarrous and Fady Copty, research staff members at IBM Research – Haifa.

When it comes to hacking, there are always new techniques being used by both us good guys who work in security, and the bad guys who are trying to exploit system vulnerabilities. Today’s tools are getting better and better at detecting stealthy attacks and identifying the results of an attack. But we hadn’t seen anything practical that could prevent a software attack before it happens. So, we took this on as a challenge and came up with a solution designed to prevent hackers from gaining access.

Return oriented programming, or ROP for short, is a hostile technique used in almost 90 percent of the software attacks. Hackers use ROP to change the control flow of a program by combining gadgets (short pieces of code) that already exist in the system, and execute malicious code. The attacker is familiar with these pieces of code, learns where they are, and then exploits this knowledge to run malicious code.

Our solution is called Anti-Return Oriented Programming, a moving target defense. It’s based on the fact that it’s much harder to attack a moving target. Because the ROP attack depends on the hacker performing a set of actions based on these code pieces and their locations, we decided that moving things around could prevent the attack. By continuously changing the order of certain key elements needed for the attack, we are able to prevent the attack from ever starting.

Think of how a thief might break into a house with the intent of stealing cash and jewelry. Most thieves plan to break the lock on the front door, go through the living room, and then into a bedroom where a safe full of jewelry might be found. They check the obvious places such as drawers and closets, and quickly find what they’re looking for. But what if we could use a different kind of lock and move it to a different place in the house? They may not find it. And even if they managed to find it and break in, if we keep randomly changing the location of the valuables all the time, they probably won’t find them, either.

Normally, the attacker expects to find certain pieces of code in certain locations. With our anti-ROP technique, when they try to give instructions to the software, the programs will randomly switch jobs, changing the code’s location so it’s not where the hacker expects to find it. Because the pieces of code are not in the expected location, the hacker cannot exploit them with the usual strategy. This makes it very difficult for the hacker to take over.

Our solution to mitigate ROP attacks offers a new tactical advantage in overall cybersecurity. And so far, we have had success in initial evaluations.

Our team at IBM Research – Haifa is working closely with colleagues from IBM Security to further test our technology for the Windows 32-bit version. We expect to complete the 64-bit version in the coming months, and look to implement the technology in other operating systems. Next, we will conduct further testing with client use cases.

The AntiROP security is also being incorporated within the SHARCS project, an EU-funded consortium targeted at providing end-to-end security across the hardware and software stack. In this context, antiROP is being used to provide a higher level of protection to systems by preventing hackers from leveraging well-known legacy code to generate attacks.

Contact us if you’re interested in working together to test new use cases.

Comments

Chani Sacharen, Communications Lead, IBM Research-Haifa

Chani Sacharen

IBM Research-Haifa Communications