Polyverse’s Polymorphic versions of popular Linux distribution protect against memory-based cyberattacks, such as buffer overflows, ROP attacks, and even hardware-based exploits like Spectre.
More than two-thirds of the vulnerabilities disclosed in 2017 were exploitable by memory-based cyberattacks. Polyverse mitigates all of them.
Polyverse’s polymorphic versions of popular Linux distributions work on a very simple idea: provide identical functionality to the standard Linux distributions, but with binaries that are thoroughly scrambled.
A scrambled binary is a standard ELF binary for the appropriate chipset (e.g., x86). There is no obfuscation or encryption, it’s just a binary. However, by scrambling, details of that binary are different than the standard binary distributions.
For example, Polyverse changes the location of functions with a binary (e.g., shared library (dlls), executables, etc.): which registers are being used, the layout of import tables, and so forth. The net result is a binary where nearly every line of machine code is different.
See our website for more information on Polyverse’s polymorphic process.
The net effect of these changes is to mitigate any cyberattacks that rely on knowing details of the target binary. These attack techniques include (but are not limited to):
· Buffer overflow: https://en.wikipedia.org/wiki/Buffer_overflow
· Integer overflow: https://sploitfun.wordpress.com/2015/06/23/integer-overflow/
· Stack/heap clash: https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
· ROP attacks (return oriented programming):https://en.wikipedia.org/wiki/Return-oriented_programming
· JOP attacks (jump oriented programming):http://blog.polyverse.com/wp-content/uploads/2018/04/asiaccs11.pdf
· Return-to-libc: https://en.wikipedia.org/wiki/Return-to-libc_attack
Essentially, each of these attack techniques relies on two fundamental pieces:
1. A software bug.
2. Detailed knowledge of the binary layout and memory usage of the victim; e.g., specific instruction sequences for ROP gadgets, what data is in what register, and so forth.
Overall, these account for approximately 70% of all of high-severity vulnerabilities (CVSS score 8 or greater) that are exploitable by memory-based attacks according to the data on CVEDetails.com. The vulnerability categories of “executive arbitrary code, memory corruption, and overflow vulnerabilty” are directly mitigated by Polyverse technologies.
Even when expanded out to all vulnerabilities, memory-based vulnerabilities still represent approximately half of all vulnerabilities since 1999.
Figure 1 CVEDetails.com: Vulnerabilities by type since 1999
The following writeups have more specific information on how Polyverse mitigates specific memory-based exploits:
1. Defeating Spectre: https://blog.polyverse.com/immunize-against-spectre-78c53985fb01/
2. Readhook Zero Day Simulator: https://blog.polyverse.com/an-intentional-buffer-overflow-hmm-5c357238b687/, with a corresponding video demo at: https://vimeo.com/259626547
3. Kernel based ROP analysis: https://blog.polyverse.com/envisen-your-kernel-3f41198af1ad/
4. Tutorial on ROP based attacks, including the EnVizen analysis tool: https://blog.polyverse.com/lets-craft-some-real-attacks-8efac7b3df90/