Every piece of software contains a part in its coding that makes it, potentially, vulnerable to a cyber attack. One coding mistake opens a window to a hacker to cause problems, either by deleting, steeling data or adding a malicious code. It’s been estimated that a typical item of software contains 50 errors per 1,000 lines of code. Each of these provide a window of entry for a cyber attack.
In the earlier days of computing the primary defense was through a feature called “address space layout randomization.” The approach was to rearranges memory when as a software program launches. The idea was that hackers will be blocked by the resultant variation. In practice, memory bugs proved too plentiful and hackers eventually found a way around this.
This meant a new approach was needed. The newly developed program Shuffler aims to combat a cyber-attack. What Shuffler aims to do is to aid other programs to continuously scramble their code as they operate; a process that closes off the opportunities for attackers. The developer of the program, Professor David Williams-King, from Columbia Engineering, explains: “Shuffler makes it nearly impossible to turn a bug into a functioning attack, defending software developers from their mistakes. Attackers are unable to figure out the program’s layout if the code keeps changing.”
Shuffler uses a similar code-scrambling approach as per earlier security measures, but it elevates this up considerably by randomizing small blocks of code every 20 to 50 milliseconds. The speed of this is thought to be too fast and complex for hackers to crack. Should a hacker work out the code, the idea is that by the time a server returns the necessary information it is already invalid.
Shuffler is designed to make no changes to the actual program it is protecting. Shuffler is designed to run alongside the code it defends and it does not change the operating system significantly. The operation of Shuffler does, however, slow-down operations a little, reducing the speed of programs by 15 percent on average.
Shuffler has recently been presented at the USENIX Symposium on Operating Systems and Design (OSDI). The meeting took place in Savannah, in the U.S.