Solution to JIT-ROP cyber attacks: Scramble code quickly

Shuffling software code around can stop hackers’ exploits, a research team says. And better, faster versions of the scrambling are the future of computer defense.

Solution to JIT-ROP cyber attacks: scramble code quickly

A new software development technique promises to end destructive exploits from hackers. The concept is to continually, and repeatedly, rearrange the program’s code while it’s running—and do it very quickly. Doing that shuts down the hacker’s “window of opportunity” because he doesn’t know where to find bugs to hit with his poisonous attack. The scrambling occurs over milliseconds.

Code reuse attacks are the kind of harmful exploits that can be stopped dead in their tracks, researchers say in an article on Columbia University’s website.

Shuffler, as the new cybersecurity program is called, “continuously re-randomizes code-locations” so that Just-in-Time Return-Oriented Programming (JIT-ROP) attacks can’t take place. Those attacks are where memory disclosures are used to discover buggy, exploitable code during runtime, the scientists explain in their paper (pdf).

+ Also on Network World: IBM sets up test range to practice fighting nightmare cyber battles safely +

A similar technique, one of rearranging memory when a program launches, called Address Space Layout Randomization (ASLR) had been used successfully to confuse hacks in the past.

However, the usual bugs in code have provided an entry for rancorous exploits. The researchers say software typically contains 50 mistakes for every 1,000 lines of code.

Hackers get around ASLR through exploitation of those errors. It’s something ASLR doesn’t stop.  

“Hackers soon discovered they could exploit memory disclosure bugs to grab code fragments once the program was already running,” the Columbia University article says.

How Shuffler works

The researchers' invention promises to end that. Shuffler takes ASLR’s randomizing and super-charges it by mixing up code every 20 to 50 milliseconds. That’s a deadline to a hacker’s work. Any information gleaned by the hacker from a server is out of date already by the time the ne’er do well gets it.

By the time the actor can act, “Shuffler has already relocated the respective code snippets to different memory locations,” says study co-author Vasileios Kemerlis, of Brown University, in the article.

Something else that’s clever about it is that the Shuffler software randomizes itself while running alongside the program it’s coddling. Hackers shouldn’t be able to get in that way, either.

The researchers say their system works better than anything that has been tried before in the same vein, such as MIT Lincoln Labs' continuously randomizing TASR and Florida State University’s Remix. They’re too slow and need too many system changes, they say.

Slowness is indeed a drawback to all of these kinds of programs. The physical act of the arrangement takes time. Shuffler slows things down 15 percent on average unless one uses copious computer power, the researchers say. Servers running 12 cores improve matters, they say.

The researchers say they still have a bit of work to do before they’re ready to release Shuffler. One vulnerability still not fully resolved is related to server-crash exploits.

“Billions of lines of vulnerable code are out there,” says study senior author, Junfeng Yang, of Columbia and member of the Data Science Institute, talking of the penetration route that hackers use to get in.

A final version of Shuffler could avoid the need to find all those bugs.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022