A Silver Bullet for Application Security?
Symantec teams up with universities on a research project to make code more secure.
Insecure code often sits as the root cause for application vulnerabilities and exploitation.
What if you could prevent that insecure code from ever being a risk?
In the future, it just might be possible to wrap insecure code with protection that will mitigate risk and help prevent exploitation. That's the goal of a research effort that Symantec's research labs are currently engaged in, known as MINESTRONE.
"The acronym doesn't mean anything actually, so don't try and figure out what the acronym stands for," Marc Dacier, Senior Director at Symantec Research Labs told InternetNews.com. "It's a joint research project with people from Columbia University, George Mason, and Stanford University."
Dacier explained that the general idea behind MINESTRONE is to help protect against vulnerabilities in applications. The software can have vulnerabilities that have not yet been found, but that could potentially be discovered at a future point and leveraged for exploitation.
Symantec's piece of the MINESTRONE effort is focused on C programs, running on Linux machines in particular.
"The approach we have developed is that we take advantage of diversification techniques," Dacier said.
He added that each of the research partners have developed different techniques to protect code and make it more secure by wrapping something around it or via instrumentation.
"We combine all these techniques to eventually produce a new application which is supposed to be completely resistant and resilient to attacks," Dacier said. "We don't try to fix all the problems, but we make it such that the vulnerability can still be there, but it can not be exploited anymore."
The way the system works is by taking a cloud-like approach to executing code. Dacier explained that normally a program will reside and run locally on a machine. With the MINESTRONE approach, what runs on the user's machine is just the interface to the system. Beyond the interface, there is another program that captures all the input that the user provides to the program and sends that information via REST APIs to the original application. The original program is augmented with new instrumentation, using various techniques from the MINESTRONE program to help make it more resilient.
"We have 'n' copies or variants of the original program that have been instrumented and are supposed to protect the application," Dacier said.
He explained that on each copy the output or state changes are captured and then the system checks to ensure that each copy has produced the same result. If it all checks out, then the output or state change is provided to the user's interface.
While Symantec's part of the research is focused on C programs running on Linux, Dacier stressed that the overall framework and associated techniques that are being developed have broader applicability.
"At Symantec, we're keeping in mind how we can leverage the results of the project and we're interested in more than just C programs for Linux," Dacier said.
From a purely Linux perspective, there are already some operating system features that can help mitigate application risk. Among those features is SELinux (Security Enhanced Linux) which is part of Red Hat Enterprise Linux and was developed in part with the U.S. National Security Agency (NSA). SELinux provides mandatory access controls for applications, restricting what a program can or cannot do. Dacier noted that the MINESTRONE effort can build on top of SELinux, though the problems that he's trying to solve are at a different level.
"The problems that we're considering are at the application level, things like race conditions or a buffer overflow," Dacier said. "The techniques we are looking at are things like automatically instrumenting the binary to find places where you can implement pre and post conditions whenever a function is invoked."
In the final analysis, Dacier said that what he expects the ultimate output to be from MINESTRONE is a framework that includes multiple techniques to protect an application.
"Within MINESTRONE we are developing different pieces of technology that make sense when put together but also have their own value," Dacier said.
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network.