A New Era of Zero-Trust Software

By Alexander Gounares

Hackers love bugs.

Behind every major hack—OPM, Equifax, BlueCross, WannaCry, Target, Home Depot, Sony, WhatsApp, you name it—is a bug the hackers exploited. You can’t fix every bug: they’re in your application code, your operating system, your hypervisors and bootloaders; they’re in every configuration and deployment. And, of course, even the humans involved make mistakes from time to time. In fact, pretty often.

Even when software patches are available to fix bugs, you often can’t deploy patches right away. Some patches break compatibility; others mess up performance. If the computer is not Internet connected, it might not even be possible to patch in a timely way.

As an industry—as a society—we will be plagued by cyberattacks until we learn a new approach to dealing with bugs.

For all of the challenges and human tragedy introduced by the global coronavirus pandemic, the adaptability of humans offers hope. As the business world shifted overnight from office work to working from home, technology managers all over the world wrestled with the dilemma of how to let everyone work both remotely and securely, outside of the (mostly) pristine and controlled walls of the corporate network.

Zero-trust networking came to the rescue.

Zero-trust networking is based on a simple idea: assume the network is hostile. Given that assumption, a number of compelling technologies and companies have blossomed, from remote-authentication and -access technologies such as Zscaler to micro-segmentation from Illumio.

Zero-trust software is also based on a simple idea: assume bugs!

If you assume—correctly—that your software systems and the human processes surrounding it contain bugs and other errors, what can we do about it? The key insight is to invert the model: if you can’t fix every bug, then can you make the bugs difficult to exploit. This is the core approach to zero-trust software solutions.

Think of the children’s game of dodgeball. Two teams and a bouncy ball. If the ball hits another player, they are out, if the ball is caught, the thrower is out. Last team standing wins. The only way to reliably win that game is to move around. If you stand still, you better be extremely good at catching!

Traditional software and their crippling software bugs are like standing still in dodgeball. The hackers know exactly where you are and can aim straight at you. Polymorphic technologies let software move around. Like constantly changing passwords in multi-factor authentication, the technical details of software systems, from memory layouts to script engines are in motion, making it extraordinarily hard for attackers to exploit the bugs.

Some of the most sophisticated and secure technologies on the market use these types of cybersecurity defenses. Google, for example, uses KSPP kernel randomization technology (https://kernsec.org/…/Kernel_Self_Protection_Project), and Intel uses the FGKLSR (https://lwn.net/Articles/824307/) to randomize Linux kernels. Notably, one of the most hacked operating systems in the world, Microsoft Windows, does not use modern polymorphic technologies. Not surprisingly there are seemingly daily breaches of Microsoft Windows. When was the last time google.com was hacked?

Polymorphic technologies don’t have to be limited to elite companies such as Google. Polyverse offers polymorphic defenses for your Linux systems with a simple one-click, fire-and-forget install. The product works on both modern and legacy systems—even unpatched systems more than a decade old.

This is what zero-trust software is all about. Assume there will be bugs and build in fundamental cyber-resiliency that works even with unpatched software and software that has bugs. It’s quick and easy: come see us at https://polyverse.com.

Interested in learning more?

Be the first to hear about the latest product releases and cybersecurity news.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.