Polymorphing for Linux is the only cybersecurity product proven by the U.S. Department of Defense to stop 100 percent of zero-day, memory-based exploits. Polymorphing for Linux randomizes and hardens open-source Linux distributions, using Moving-Target Defense technology. By randomizing memory specifics of an application, crafted exploits targeting a specific memory vulnerability simply will not work, even when the application is left unpatched. Additionally, Polyverse leverages continuous deployment so you can receive new scrambled binaries every 12 hours. No patch? No problem. The system is already protected.
ASLR focuses on offsetting the relative base address for the program’s memory. This tactic can be defeated by the attacker figuring out the offset, and then adjusting all of their calculations by that value. Our scrambling compiler does not simply offset the base address for the program’s memory, it completely changes the memory footprint of the binary, such as what registers are being used, where functions live, and where return and jump instructions land. This is all done while maintaining semantic equivalence with the original stock binary, which means that ASLR can also be used on a scrambled binary.
ASLR is a linear change of address, meaning that an attacker only needs to guess one number. We reorder blocks in memory, and we order functions in memory. Mathematically, you can’t reverse our code into something you can hijack.
Polymorphing for Linux is available for platforms that are compatible with the following Linux distributions:
Every downloaded package is unique to the specific customer, and each used package is garbage-collected and replaced every 24 hours.
"Polyverse" is a term from quantum physics. Specifically, it is a multiverse of multiverses. A multiverse is the idea of parallel universes (see https://en.wikipedia.org/wiki/Multiverse). Particularly, in a polyverse of multiverses, the different universes may have different physics. We chose Polyverse as the name of our company to represent the idea of creating extreme diversity from a single starting-point.
Polyverse is a cybersecurity solutions provider that protects clients’ systems with its Polymorphing for Linux program. The program randomizes and hardens open-source Linux distributions using Moving Target Defense technologies that are extraordinarily difficult for attackers to penetrate. Polymorphing for Linux automatically protects the full Linux stack, all 70,000+ open-source projects on Linux, from Apache to Zsh, Java to Ruby, with no change to your application performance or scale.
Moving Target Defense has been extensively researched in academia for more than 20 years and found to be extremely effective. MIT recently published a very thorough survey of the academic work in this area; you can find it here.
Polyverse is the leading provider of Moving Target Defense technologies—we operate at an unrivaled scale, creating millions of unique versions of Linux daily.
Overall, our technology addresses memory-based attacks—both fileless attacks as well as any on-disk attack that relies on a memory error to trigger the injection.
More specifically, Polymorphing for Linux will stop any attack that relies on exploiting errors such as stack and buffer overflows, stack/heap clashes, integer overflow, use-after-free, and Spectre-style instruction pipeline exploits . To exploit these, the attacker needs to know some of the technical details of the target system, such as what data is in what registers, locations of specific assembly instructions, and so on.
In terms of common vulnerabilities and exposures (CVE), there is both an easy answer and a slightly more complex answer to how Polyverse foils these attackers.
The easy answer is that we stop everything in the code-execution, overflow, and memory-corruption categories.
The more complex answer is that, although it is a tremendous resource, the CVE database is extremely messy. If you go through each CVE by hand (and we do from time to time), you will find CVEs that are either miscategorized or belong to multiple categories. For example, some of the “gain privileges” or “bypass something” categories are enabled by an underlying buffer-overflow error.
The net effect is that we actually end up protecting more than just the three “easy” categories. In our last “by-hand” detailed analysis of every CVE, we found that we addressed two-thirds of those considered to be of critical severity.
We have new technologies such as Polyscripting that address script-injection errors on a language-by-language basis (e.g., we stopped the recent issue with WordPress and the GDPR plugin). Script-injection errors tend to span many CVE categories as well.
Bottom line: we don’t stop everything. But what we do stop, we stop very effectively, and we do it in as easy a way as possible. Simply use our package repository instead of the open-source lottery of random servers in the world. It’s a quick, one-time, fire-and-forget installation.
Alpine - Based on GCC 6
CentOS - Based on GCC 4
Ubuntu - Based on GCC 5
Polymorphing for Linux packages are semantically equivalent to the standard, non-scrambled binaries that have been used in the past. Functionality-wise, it’s just Linux.
Thus all of the current logging, analytics, and other software and configuration management tools you current use will continue to work unmodified. Even better, since Polyverse stops all memory-based attacks, these failed hacks will show up in standard logging mechanisms (e.g., syslog) rather than silently succeeding.
You can get familiar with our software by checking out our demos; or you can purchase a subscription by contacting us. This means access to your own private repositories, and one new set of scrambled binaries every 24 hours!
StackClash: A Linux attack where the idea is to bypass traditional defenses by causing a program to have the stack join up near the heap. You can have the heap and stack grow up and down where they adjoin each other, making it possible to hop from the stack into the heap. At this point you can bypass traditional ASLR and stack guards, and directly run attacks using ROP and other gadgets. This attack is especially harsh because it can be performed over the wire. The vulnerability can be exploited solely by sending traffic to a machine. However, like WannaCry, it fundamentally relies on knowing attributes of a target system to exploit. So Moving Target Defense techniques completely prevent this type of attack.
In a way, yes: we call it binary-to-binary scrambling. There is a feature of x86 code where certain instructions are only dynamically resolvable (not resolvable unless they are running). Basically, we have to run a JIT compiler to observe things before we can make a correct assertion on them. We cannot look at static x86 code and make a proper assertion on that block, because it could have dynamically executable code, so our compiler has to observe the executable during live execution for this to work.
No. Simply run the install script and go. The install script merely points your system’s package repository to Polyverse’s package repository.
We support all major programming languages, including:
There are several ways that we can be certain that the binary has not been maliciously modified. One assumption that we will make is that you have configured your nodes so that they always point to the Polyverse scrambled-binary repository.
We do provide scrambled ELK binaries, but currently only as part of a custom deal. Our self-service product is the base OS + a subset of EPEL.
Identify any existing technology that caught, or would have caught, the following bugs:
Rop gadgets, control flow, changing of control flow—these result to buffer overruns, change after free, bad pointers—basically whatever ASLR should have stopped, we stop to a far higher degree.
The core “per node” licensing: a node is one virtual machine instance or one two-socket physical server.
Licenses are portable—what matters is the number of active nodes using Polyverse at any given time. It’s OK, for instance, for a base VM image to install Polyverse, and then a new instance of that VM is created daily. This is meant to encourage folks to recycle and reset their instances as frequently as possible.
Yes! Polymorphing for Linux product is mainly provided via our scrambled binary repositories. A customer can use our installation script to set our repository as their primary repository for their supported Linux distribution. Once they reinstall their packages, or install any new packages, the scrambling is done for them already.
A number of Polyverse customers work on isolated and/or air-gapped networks. Since we distribute through the standard package repository mechanisms, existing tools such as apt-mirror (Ubuntu) and reposync (CentOS) work well. We leverage the standard mechanisms (package manager, etc.) that are used by the existing operating systems so that Polymorphing for Linux packages, updates, and patches will always be able to be accessed on that isolated network. The only change is that Polyverse becomes the upstream root.
Contact us and we can help get this set up.
P Polymorphing for Linux scrambles binaries with a much finer grained resolution than ASLR, which only requires disclosure of only a single unknown value to defeat it.
Yes, however our recommended first step is to uninstall the Polymorphed binaries and try to reproduce the bug. We have yet to see a bug that only occurs in the Polymorphed version of a package. If you cannot reproduce the bug with the stock binaries, contact firstname.lastname@example.org, and we'll respond within 24 hours.
As with Polymorphed binaries, our recommended first step is to uninstall the Polymorphed kernel and try to reproduce the bug. Kernels from the distros we support don't come with debug symbols, so when you reproduce the bug, you should contact the distribution company. If you cannot reproduce the bug with the stock kernel, contact email@example.com, and we'll respond within 24 hours.