Periodic Reporting for period 2 - REACT (REactively Defending against Advanced Cybersecurity Threats)
Berichtszeitraum: 2019-06-01 bis 2021-05-31
To protect vulnerable systems, most software vendors periodically release software updates (usually called "software patches") that improve the functionality of the targeted systems and patch some of their vulnerabilities. Although patching seems like a nice way to have a population of computers fully protected, experimental evidence suggests that patching, at least in the way it has been done over the past few years, is highly ineffective. This is mostly because patching takes a long time to be applied to a large-enough percentage of computers. Indeed, our experimental results, based on a study including several thousands of computers, suggest that on the average it takes 67 days to patch 50% of the studied population, and a whopping 200 days (i.e. more than 6 months) to patch 90% of it. And to make matters worse, there are cases where patches never arrived no matter how long we were willing to wait. For example, in the cases of hardware bugs (or better yet “software-triggered hardware bugs”), traditional patching approaches just do not work.
It is not difficult to realize that having such a large percentage of computers being in a vulnerable state for several months or even years, is basically an accident that is, sooner or later, bound to happen.
But ReAct does not stop here. Being an ambitious innovative project ReAct asks a bold question: "Can we protect a computer before we know that it is vulnerable?”. This sounds very complicated. Indeed, how can we protect a computer against something when we do not know what this something is? In ReAct we take a bold step and follow a two-pronged approach in order to be able to protect a computer before we even know that it is vulnerable:
• Find the vulnerability ourselves! This approach realizes that attackers usually compromise computers by finding and exploiting a new bug – a bug that is usually unknown to the developers of the computer system. Based on the attackers’ strategy, our approach poses a simple question: “Why wait for the attackers to find and exploit the bug?”. That is, “Can’t we just find the bug ourselves? Can’t we outrun the attackers in their effort to find the bug?”. In ReAct we do just that: we develop methods to outrun the attackers - we develop novel approaches that go well beyond traditional debugging and make use of novel feedback-driven fuzzing techniques that can be used by software developers in order to find the bugs before the attackers do.
• Use AI to find the vulnerable computers and fortify them against future attacks – even when we do not know what exactly this future attack will be. This can be done by advanced cyber intelligence approaches. Indeed, using advanced telemetry we collect a number of features about a computer and using a sophisticated Artificial Intelligence Model we predict whether a computer with these features has a higher probability of being compromised in the future.
All in all, ReAct follows a holistic approach that aims to protect computers throughout their entire lives: (i) before they are attacked, (ii) after they are attacked and before they are patched, and (iii) after they are patched for a particular vulnerability.
• Detection of computers that are about to be hacked. This is a very difficult area of work. Although it is relatively easy to find out if a computer has been compromized (i.e. hacked), it seems utterly difficult, if not impossible, to determine if a computer will be hacked in the future. In ReAct, we did just that: we predicted the future security stance of computers. Using advanced Artificial Intelligence approaches and combining a number of signals about the security hygiene of current computers, ReAct researchers have managed to predict whether a computer will be compromised. Even better they managed to do this prediction with very high accuracy - sometimes higher than 95%. This means that they can (with 95% certainty) identify the computers that need to be protected better so as to be able to withstand future attacks.
• Detection of software bugs. Cyber attackers who penetrate computers usually exploit a vulnerability (a bug) that exists in the software of the computers. Finding such software bugs can be notoriously difficult and time consuming. Indeed, if it were easy to find these bugs, the software development companies would have found them before the attackers. In this line of work, ReAct researchers have developed "fuzzing" approaches that are able to detect bugs even when these bugs are hidden deeply in the software and even when they are triggered by very infrequent combination of external events. Using their approach, they have identified several bugs that exist in commonly used software programs (i) helping the community to patch the bugs and make software harder to be exploited by attackers, and (ii) arming the community with a toolset that will continue to help with bug discovery in the future.
• Detection and Mitigation of Software-controlled hardware bugs. When we talk about security we usually refer to software: buffer overflows, software bugs, software vulnerabilities, trapdoors - everything in software. However, bugs can also exist in hardware. ReAct researchers have demonstrated how to "trigger" hardware bugs that can eventually lead to breaking cryptography and compromising data and communications. The idea is simple: repeatedly reading (hammering) a memory location may result in changing the value of a different memory location, possibly belonging to another application. This bug, called Rowhammer in the language of computers, although simple to describe, it is very difficult to fix. The core of the difficulty lies in the fact that it is not a software bug: it is a hardware bug and thus can be completely and properly solved only in future hardware versions of the effected devices. For their work, in developing virtual-memory-based solutions that mitigate Rowhammer, ReAct researchers received numerous awards, including an Intel Bounty Reward and a recent patent.