Polymorphing for Linux Documentation — FAQ

What Is Polymorphing for Linux?

Polymorphing for Linux is the only cybersecurity product proven by the U.S. Department of Defense to mitigate known and unknown memory-based exploits. Polymorphing for Linux is a zero-trust software solution that randomizes and hardens open-source Linux distributions. By randomizing memory specifics of an application, crafted exploits targeting a specific memory vulnerability simply will not work, even when the application is left unpatched. This is accomplished with no operational impact or runtime overhead. With Polymorphing in place, you can trust nothing and protect everything.

What is zero trust software?

Zero trust software is a cybersecurity defense philosophy that provides intrinsic cyber protection even when the software under attack has bugs, misconfigurations, supply-chain attacks, and is behind on patches.

How is Polymorphing for Linux different from ASLR?

ASLR focuses on offsetting the relative base address for the program’s memory. This tactic can be defeated by the attacker figuring out the offset, and then adjusting all of their calculations by that value. Our scrambling compiler does not simply offset the base address for the program’s memory, it completely changes the memory footprint of the binary, such as what registers are being used, where functions live, and where return and jump instructions land. This is all done while maintaining semantic equivalence with the original stock binary, which means that ASLR can also be used on a scrambled binary.

ASLR is a linear change of address, meaning that an attacker only needs to guess one number. We reorder blocks in memory, and we order functions in memory. Mathematically, you can’t reverse our code into something you can hijack.

What versions of Linux do you support?

Polymorphing for Linux is available for platforms that are compatible with the following Linux distributions:

• Alpine v3.9 - v3.12
• CentOS v6 - v8
• Debian Stretch (v9) and Buster (v10)
• Oracle Linux v7
• Red Hat v6 - v8
• SUSE Linux Enterprise Server v15.1, v15.2
• Ubuntu Xenial (v16.04), Bionic (v18.04) and Focal (20.04)

How often are the packages in your repositories re-scrambled and updated?

Every downloaded package is unique to the specific customer, and each used package is garbage-collected and replaced every 24 hours.

What is the meaning of “Polyverse”?

"Polyverse" is a term from quantum physics. Specifically, it is a multiverse of multiverses. A multiverse is the idea of parallel universes (see https://en.wikipedia.org/wiki/Multiverse). Particularly, in a polyverse of multiverses, the different universes may have different physics. We chose Polyverse as the name of our company to represent the idea of creating extreme diversity from a single starting-point.

What is Polyverse, and what does Polyverse do?

Polyverse is a cybersecurity provider that protects clients' systems with its zero-trust software solutions. Polyverse's flagship product, Polymorphing for Linux, randomizes and hardens open-source Linux distributions through Moving Target Defense-based technologies. With Polymorphing for Linux get a unique version of your operating system that automatically protects the full Linux stack, all 70,000+ open-source projects on Linux, from Apache to Zsh, Java to Ruby, with no change to your application performance or scale.

Who are your main competitors?

Moving Target Defense has been extensively researched in academia for more than 20 years and found to be extremely effective. MIT recently published a very thorough survey of the academic work in this area; you can find it here.

Polyverse is the leading provider of Moving Target Defense technologies—we operate at an unrivaled scale, creating millions of unique versions of Linux daily.

Is Polymorphing for Linux effective?

Overall, our technology addresses memory-based attacks—both fileless attacks as well as any on-disk attack that relies on a memory error to trigger the injection.

More specifically, Polymorphing for Linux will stop any attack that relies on exploiting errors such as stack and buffer overflows, stack/heap clashes, integer overflow, use-after-free, and Spectre-style instruction pipeline exploits . To exploit these, the attacker needs to know some of the technical details of the target system, such as what data is in what registers, locations of specific assembly instructions, and so on.

In terms of common vulnerabilities and exposures (CVE), there is both an easy answer and a slightly more complex answer to how Polyverse foils these attackers.

The easy answer is that we stop everything in the code-execution, overflow, and memory-corruption categories.

The more complex answer is that, although it is a tremendous resource, the CVE database is extremely messy. If you go through each CVE by hand (and we do from time to time), you will find CVEs that are either miscategorized or belong to multiple categories. For example, some of the “gain privileges” or “bypass something” categories are enabled by an underlying buffer-overflow error.

The net effect is that we actually end up protecting more than just the three “easy” categories. In our last “by-hand” detailed analysis of every CVE, we found that we addressed two-thirds of those considered to be of critical severity.

We have new technologies such as Polyscripting that address script-injection errors on a language-by-language basis (e.g., we stopped the recent issue with WordPress and the GDPR plugin). Script-injection errors tend to span many CVE categories as well.

Bottom line: we don’t stop everything. But what we do stop, we stop very effectively, and we do it in as easy a way as possible. Simply use our package repository instead of the open-source lottery of random servers in the world. It’s a quick, one-time, fire-and-forget installation.

How does our custom compiler compare/differ from the stock compilers being used to build our supported Linux distributions?

Alpine - Based on GCC 6
CentOS - Based on GCC 4
Ubuntu - Based on GCC 5

Does Polyverse give me logs/metrics/data?

Polymorphing for Linux packages are semantically equivalent to the standard, non-scrambled binaries that have been used in the past. Functionality-wise, it's just Linux. Thus all of the current logging, analytics, and other software and configuration management tools you current use will continue to work unmodified. Even better, since Polyverse stops all memory-based attacks, these failed hacks will show up in standard logging mechanisms (e.g., syslog) rather than silently succeeding.

We created an open source detection agent Zerotect to detect these attacks in the wild. Zerotect is currently integrated with several tools like ArcSight and PagerDuty for unparalleled visibility through your SIEM.

How do I get started?

You can get familiar with our software by checking out our scenarios; or you can see a demo by contacting us.

Do you have documentation, videos, demos?

Yes, we do! You can find this information on our resources page. You can also contact us for more information at info@polyverse.com.

Can you share an example of a breach that could have been prevented through Moving Target Defense?

StackClash: A Linux attack where the idea is to bypass traditional defenses by causing a program to have the stack join up near the heap. You can have the heap and stack grow up and down where they adjoin each other, making it possible to hop from the stack into the heap. At this point you can bypass traditional ASLR and stack guards, and directly run attacks using ROP and other gadgets. This attack is especially harsh because it can be performed over the wire. The vulnerability can be exploited solely by sending traffic to a machine. However, like WannaCry, it fundamentally relies on knowing attributes of a target system to exploit. So, zero-trust software technologies like Polymorphing completely prevent this type of attack

Can pre-compiled binaries be scrambled on Windows?

In a way, yes: we call it binary-to-binary scrambling. There is a feature of x86 code where certain instructions are only dynamically resolvable (not resolvable unless they are running). Basically, we have to run a JIT compiler to observe things before we can make a correct assertion on them. We cannot look at static x86 code and make a proper assertion on that block, because it could have dynamically executable code, so our compiler has to observe the executable during live execution for this to work.

Do we need to recompile to take advantage of Polymorphing for Linux?

No. Simply run the install script and go. The install script merely points your system’s package repository to Polyverse’s package repository.

Which languages are supported?

We support all major programming languages, including:

• C/C++
• Python
• Go
• Ruby
• NodeJS/JavaScript
• PHP
• Java

If you do not know the hashes of a binary ahead of time, then how will you be able to verify that the binary has not been modified by a malicious party?

There are several ways that we can be certain that the binary has not been maliciously modified. One assumption that we will make is that you have configured your nodes so that they always point to the Polyverse scrambled-binary repository.

• Each package served through the repository has a hash signature in an index file, so you should always know the hashes ahead of time.
• Each index file is signed by us, so the chain of trust goes: polyverse key >> signed repository index >> hashes of packages >> download package, verify hash matches.

Do you provide modified binaries for ElasticSearch's ELK stack (elasticsearch, logstash, kibana)?

We do provide scrambled ELK binaries, but currently only as part of a custom deal. Our self-service product is the base OS + a subset of EPEL.

Why is this solution better than existing ones?

Can you identify any existing technology that caught, or would have caught, the following bugs?

• Intel’s Management Engine vulnerability
• Heartbleed
• The SystemD buffer-overrun flaw
• WannaCry

What do you guys really stop?

ROP gadgets, control flow, changing of control flow—these result to buffer overruns, change after free, bad pointers—basically whatever ASLR should have stopped, we stop to a far higher degree.

Is Polyverse licensing per VM that will use the packages? What about “dev” VMs? Is it only for production VMs that are shipped?

Your Polyverse license key to use across your network.

Polymorphing for Linux is too complex—we don’t want to use compilers and have to compile everything. Is there an easier way?

Yes, there is an easier way! Polymorphing for Linux product is delivered via our scrambled binary repositories in the same way that you would normally download your OS from the web. We have a custom installation script that sets Polyverse’s repository as your primary repository for the supported Linux distribution. Once you reinstall your packages, or install any new packages, the scrambling is already done for you with no changes to process or interoperability.

What if the solution is implemented on an isolated company network? How will the licenses will work? Will there be any offline updates?

A number of Polyverse customers work on isolated and/or air-gapped networks. Since we distribute through the standard package repository mechanisms, existing tools such as apt-mirror (Ubuntu) and reposync (CentOS) work well. We leverage the standard mechanisms (package manager, etc.) that are used by the existing operating systems so that Polymorphing for Linux packages, updates, and patches will always be able to be accessed on that isolated network. The only change is that Polyverse becomes the upstream root.

We also provide our Polymorphic Build Farm product, where you can get unprecedented insight and visibility into your software supply chain. The Polymorphic Build Farm builds the entire Linux ecosystem, from the bootloader to the kernel and your apps in less than two hours. Ultimately, giving you full supply-chain integrity over every bit of software in your system.

Contact us and we can help get this set up.

How does a Polyverse’s scrambling technology differ from out-of-the-box memory, page, and sysrq kernel protections?

Polymorphing for Linux scrambles binaries with a much finer grained resolution than ASLR, which only requires disclosure of only a single unknown value to defeat it.

Can you debug Polymorphed binaries?

Yes, however our recommended first step is to uninstall the Polymorphed binaries and try to reproduce the bug. We have yet to see a bug that only occurs in the Polymorphed version of a package. If you cannot reproduce the bug with the stock binaries, contact support@polyverse.com, and we'll respond within 24 hours.

Can you debug Polymorphed kernels?

As with Polymorphed binaries, our recommended first step is to uninstall the Polymorphed kernel and try to reproduce the bug. Kernels from the distros we support don't come with debug symbols, so when you reproduce the bug, you should contact the distribution company. If you cannot reproduce the bug with the stock kernel, contact support@polyverse.com, and we'll respond within 24 hours.