Polymorphing for Linux is the only cybersecurity product proven by the U.S. Department of Defense to mitigate known and unknown memory-based exploits. Polymorphing for Linux is a zero-trust software solution that randomizes and hardens open-source Linux distributions. By randomizing memory specifics of an application, crafted exploits targeting a specific memory vulnerability simply will not work, even when the application is left unpatched. This is accomplished with no operational impact or runtime overhead. With Polymorphing in place, you can trust nothing and protect everything.
Zero trust software is a cybersecurity defense philosophy that provides intrinsic cyber protection even when the software under attack has bugs, misconfigurations, supply-chain attacks, and is behind on patches.
ASLR focuses on offsetting the relative base address for the program’s memory. This tactic can be defeated by the attacker figuring out the offset, and then adjusting all of their calculations by that value. Our scrambling compiler does not simply offset the base address for the program’s memory, it completely changes the memory footprint of the binary, such as what registers are being used, where functions live, and where return and jump instructions land. This is all done while maintaining semantic equivalence with the original stock binary, which means that ASLR can also be used on a scrambled binary.
ASLR is a linear change of address, meaning that an attacker only needs to guess one number. We reorder blocks in memory, and we order functions in memory. Mathematically, you can’t reverse our code into something you can hijack.
Polymorphing for Linux is available for platforms that are compatible with the following Linux distributions:
Every downloaded package is unique to the specific customer, and each used package is garbage-collected and replaced every 24 hours.
"Polyverse" is a term from quantum physics. Specifically, it is a multiverse of multiverses. A multiverse is the idea of parallel universes (see https://en.wikipedia.org/wiki/Multiverse). Particularly, in a polyverse of multiverses, the different universes may have different physics. We chose Polyverse as the name of our company to represent the idea of creating extreme diversity from a single starting-point.
Polyverse is a cybersecurity provider that protects clients' systems with its zero-trust software solutions. Polyverse's flagship product, Polymorphing for Linux, randomizes and hardens open-source Linux distributions through Moving Target Defense-based technologies. With Polymorphing for Linux get a unique version of your operating system that automatically protects the full Linux stack, all 70,000+ open-source projects on Linux, from Apache to Zsh, Java to Ruby, with no change to your application performance or scale.
Moving Target Defense has been extensively researched in academia for more than 20 years and found to be extremely effective. MIT recently published a very thorough survey of the academic work in this area; you can find it here.
Polyverse is the leading provider of Moving Target Defense technologies—we operate at an unrivaled scale, creating millions of unique versions of Linux daily.
Overall, our technology addresses memory-based attacks—both fileless attacks as well as any on-disk attack that relies on a memory error to trigger the injection.
More specifically, Polymorphing for Linux will stop any attack that relies on exploiting errors such as stack and buffer overflows, stack/heap clashes, integer overflow, use-after-free, and Spectre-style instruction pipeline exploits . To exploit these, the attacker needs to know some of the technical details of the target system, such as what data is in what registers, locations of specific assembly instructions, and so on.
In terms of common vulnerabilities and exposures (CVE), there is both an easy answer and a slightly more complex answer to how Polyverse foils these attackers.
The easy answer is that we stop everything in the code-execution, overflow, and memory-corruption categories.
The more complex answer is that, although it is a tremendous resource, the CVE database is extremely messy. If you go through each CVE by hand (and we do from time to time), you will find CVEs that are either miscategorized or belong to multiple categories. For example, some of the “gain privileges” or “bypass something” categories are enabled by an underlying buffer-overflow error.
The net effect is that we actually end up protecting more than just the three “easy” categories. In our last “by-hand” detailed analysis of every CVE, we found that we addressed two-thirds of those considered to be of critical severity.
We have new technologies such as Polyscripting that address script-injection errors on a language-by-language basis (e.g., we stopped the recent issue with WordPress and the GDPR plugin). Script-injection errors tend to span many CVE categories as well.
Bottom line: we don’t stop everything. But what we do stop, we stop very effectively, and we do it in as easy a way as possible. Simply use our package repository instead of the open-source lottery of random servers in the world. It’s a quick, one-time, fire-and-forget installation.
Alpine - Based on GCC 6
CentOS - Based on GCC 4
Ubuntu - Based on GCC 5
Polymorphing for Linux packages are semantically equivalent to the standard, non-scrambled binaries that have been used in the past. Functionality-wise, it's just Linux. Thus all of the current logging, analytics, and other software and configuration management tools you current use will continue to work unmodified. Even better, since Polyverse stops all memory-based attacks, these failed hacks will show up in standard logging mechanisms (e.g., syslog) rather than silently succeeding.
We created an open source detection agent Zerotect to detect these attacks in the wild. Zerotect is currently integrated with several tools like ArcSight and PagerDuty for unparalleled visibility through your SIEM.
StackClash: A Linux attack where the idea is to bypass traditional defenses by causing a program to have the stack join up near the heap. You can have the heap and stack grow up and down where they adjoin each other, making it possible to hop from the stack into the heap. At this point you can bypass traditional ASLR and stack guards, and directly run attacks using ROP and other gadgets. This attack is especially harsh because it can be performed over the wire. The vulnerability can be exploited solely by sending traffic to a machine. However, like WannaCry, it fundamentally relies on knowing attributes of a target system to exploit. So, zero-trust software technologies like Polymorphing completely prevent this type of attack
In a way, yes: we call it binary-to-binary scrambling. There is a feature of x86 code where certain instructions are only dynamically resolvable (not resolvable unless they are running). Basically, we have to run a JIT compiler to observe things before we can make a correct assertion on them. We cannot look at static x86 code and make a proper assertion on that block, because it could have dynamically executable code, so our compiler has to observe the executable during live execution for this to work.
No. Simply run the install script and go. The install script merely points your system’s package repository to Polyverse’s package repository.
We support all major programming languages, including:
There are several ways that we can be certain that the binary has not been maliciously modified. One assumption that we will make is that you have configured your nodes so that they always point to the Polyverse scrambled-binary repository.
We do provide scrambled ELK binaries, but currently only as part of a custom deal. Our self-service product is the base OS + a subset of EPEL.
Can you identify any existing technology that caught, or would have caught, the following bugs?
ROP gadgets, control flow, changing of control flow—these result to buffer overruns, change after free, bad pointers—basically whatever ASLR should have stopped, we stop to a far higher degree.
Your Polyverse license key to use across your network.
Yes, there is an easier way! Polymorphing for Linux product is delivered via our scrambled binary repositories in the same way that you would normally download your OS from the web. We have a custom installation script that sets Polyverse’s repository as your primary repository for the supported Linux distribution. Once you reinstall your packages, or install any new packages, the scrambling is already done for you with no changes to process or interoperability.
A number of Polyverse customers work on isolated and/or air-gapped networks. Since we distribute through the standard package repository mechanisms, existing tools such as apt-mirror (Ubuntu) and reposync (CentOS) work well. We leverage the standard mechanisms (package manager, etc.) that are used by the existing operating systems so that Polymorphing for Linux packages, updates, and patches will always be able to be accessed on that isolated network. The only change is that Polyverse becomes the upstream root.
We also provide our Polymorphic Build Farm product, where you can get unprecedented insight and visibility into your software supply chain. The Polymorphic Build Farm builds the entire Linux ecosystem, from the bootloader to the kernel and your apps in less than two hours. Ultimately, giving you full supply-chain integrity over every bit of software in your system.
Contact us and we can help get this set up.
Polymorphing for Linux scrambles binaries with a much finer grained resolution than ASLR, which only requires disclosure of only a single unknown value to defeat it.
Yes, however our recommended first step is to uninstall the Polymorphed binaries and try to reproduce the bug. We have yet to see a bug that only occurs in the Polymorphed version of a package. If you cannot reproduce the bug with the stock binaries, contact firstname.lastname@example.org, and we'll respond within 24 hours.
As with Polymorphed binaries, our recommended first step is to uninstall the Polymorphed kernel and try to reproduce the bug. Kernels from the distros we support don't come with debug symbols, so when you reproduce the bug, you should contact the distribution company. If you cannot reproduce the bug with the stock kernel, contact email@example.com, and we'll respond within 24 hours.