Scramble, Cycle, Repeat

The story has implications for the entire field of computer security, including Cisco Systems (CSCO), FireEye (FEYE), Symantec (SYMC), Check Point Software Technology (CHKP), and Palo Alto Networks (PANW). There were a few extra points to be made about the company, hence this Web extra for Barron’s readers.

There’s not a lot of understanding of what CEO Alex Gounares and his team are doing. People I spoke with before and after meeting with Polyverse know either that its technology is to scramble code or that it is doing something with “containers,” the method of bundling applications with their dependencies made popular by San Francisco startup Docker, and now used all over the place.

Both are true, and both leave out some important elements.

The Scramble

Gounares, with the help of Christopher Fraser, a fairly well-regarded scientist of compilers (he wrote the “LCC” compiler along with David Hanson some years ago), has found a way to change which assembly-language instructions perform an operation, so that techniques of return-oriented programming and the like get starved for the familiar opcodes they need to function.

As Gounares explained, you could take a typical instruction sequence such as

mov eax, 42

and get the same end result with

mov eax, 40

mov ebx, 2

add ecx, ebx, eax

As Gounares describes it, this is “still getting to the same answer, but just by taking a different route.”

“Across a large program, there are literally billions of different permutations available to get to the same answer,” he observes.

For people familiar with techniques such as “address-space layout randomization,” or ASLR, Gounares likens what he and Fraser have built to “a next generation ASLR.”

But Polyverse’s technology is much more comprehensive, according to Gounares:

Rather than just randomizing just the starting address of a dll, we randomize nearly everything on the inside of the dlls and the rest of the program—addresses, register usage, layout, instruction usage, and so forth.

One amazing thing little realized by those outside the company is that the technology is not just for Linux and its applications; Fraser and Gounares have developed the ability to binary scramble Microsoft’s (MSFT) Windows.

Unlike Linux, whose source code is readily available, “It’s mathematically impossible” to binary scramble Windows, “but we did it anyway,” says Gounares.

At Microsoft, where Gounares worked starting in 1993 — he later would become the personal advisor to Bill Gates on technology matters — Gounares in fact wrote some of the Windows “boot code.”

Gounares didn’t take source code with him. Instead, with Fraser, he found a way to spy on Windows as it is loading up from the hard disk drive and change its stream of instructions in flight.

“It’s actually running as we’re doing the scrambling, and then once it’s started, it’s all in memory as a unique version.”

“We sort of change it as it’s being born, it doesn’t get to exist in a vulnerable state.”

Failing creatively

The other part of the story that’s not well understood is the profound shift in perspective of chief technologist Arches Gore, who ran what’s called “site reliability” for Amazon’s (AMZN) e-commerce operations for several years, handling 40,000 servers in data centers across multiple continents, including peak times during the holidays, with virtually no down time over the course of five years.

At Amazon, with constant demands for new code to be entered into the system, and to add features such as one-day shipping for Amazon goods, Gore learned to  embrace failure, or more precisely, manage failure.

Amazon commerce computers never ran the same batch of computer code for more than two days at a time.

“We had one powerful tool, we had the capacity to roll out fast, we could fix things cheap, we could roll back fast,” is how Gore describes the constantly shifting nature of Amazon’s servers, in what sounds like an echo of Facebook (FB) CEO Mark Zuckerberg’s axiom, “Move fast and break things.”

In a sense, the system is being frequently crashed, but in a controlled way, so that attacks never have much time to progress, if they even get started.

Failing creatively is an answer, in Gore’s view, to the fact that perfect code never exists.

“Security is a subset of correctness,” says Gore, meaning, correct code.

But, “we cannot write a system that can assure you that a certain piece of code is correct.”

The alternative is to constantly stop things and restart. “The most you can do is to return it to a known good state.”

“If my machine doesn’t meet my specs, we don’t go fix it, we just kill the damn thing!” declares Gore.

Gore’s role is to design the tools by which devs can work with security administrators at the very start, designing a policy for how containers will be recycled — how frequently, with what triggers, etc. (At the limit, Polyverse’s scrambling can re-scramble a given code base every quarter of a second, though in practice intervals such as every five seconds may be more realistic. Some companies might only need to scramble and re-cycle every 24 hours. It depends on different factors of load, response time, etc.)

Many of the tools Gore is developing borrow in spirit from what’s called “functional” programming, also known as “serverless,” which is increasingly becoming a hot topic in cloud computing.

Both Gore and Gounares are fans of the Erlang programming language. Erlang defined the idea that rather than specifying computer management based on tasks, CIOs can define it based on results and let the infrastructure handle the complexity. Like Erlang, Polyverse’s tools will define goals of security, and let the scrambling and cycling implement those goals.

The payoff is in increasing the complexity for an attacker, which pleases Gore, who is student of game theory. Reducing incentives, making things uneconomical, for the bad guys, is for him the point to what Polyverse does.

Put together Gounares and Fraser’s work with Gore’s container management, and what you have is an interesting kind of havoc in the data center, a controlled chaos, that makes security more a product of the way computers operate, rather than a barrier implemented after the fact, like a firewall. Security becomes an approach of dev-ops practice, rather than an afterthought.

If they can pull it off, it could be a big deal.

(Those interested in looking at the past history of moving target efforts may want to consult the reading list of Hamed Okhravi and his colleagues at MIT’s Lincoln Labs; they’ve done extensive work cataloging and testing various moving target work.)