Shuffling the pack stops cyber attacks

Hackers will always be able to exploit coding and software, as long as humans are writing the software and there is the odd coding mistake.

Just a single bug can open the door to attackers deleting files, copying credit card numbers or carrying out political mischief.

However the new program called ‘Shuffler’ tries to obstruct such attacks by allowing programs to continuously scramble their code as they run, effectively closing the window of opportunity for an attack. The technique is described in a study presented this month at the USENIX Symposium on Operating Systems and Design (OSDI) in Savannah, Ga.


The study’s lead author, David Williams-King, a Graduate Student at Columbia Engineering commented: “Shuffler makes it nearly impossible to turn a bug into a functioning attack, defending software developers from their mistakes. Attackers are unable to figure out the program’s layout if the code keeps changing.”

Even after repeated debugging, software typically contains up to 50 errors per 1,000 lines of code, each a potential avenue for attack. Though security defenses are constantly evolving, attackers are quick to find new ways in.

In the early 2000s, computer operating systems adopted a security feature called address space layout randomization, or ASLR. This technique rearranges memory when a program launches, making it harder for hackers to find and reuse existing code to take over the machine. But hackers soon discovered they could exploit memory disclosure bugs to grab code fragments once the program was already running.

Shuffler was developed to deflect this latter style of code-reuse attack. It takes ASLR’s code-scrambling approach to the extreme by randomizing small blocks of code every 20-50ms, imposing a severe deadline on would-be attackers. Until now, shifting around running code as a security measure was thought to be technically impractical because existing solutions require specialized hardware or software.

The study’s co-author Vasileios Kemerlis, a Computer Science Professor at Brown University said: “By the time the server returns the information the attacker needs, it is already invalid —Shuffler has already relocated the respective code snippets to different memory locations.”

Designed to be user-friendly, Shuffler runs alongside the code it defends, without modifications to program compilers or the computer’s operating system. It even randomizes itself to defend against possible bugs in its own code.


The researchers say Shuffler runs faster and requires fewer system changes than similar continuous-randomization software such TASR and Remix, developed at MIT Lincoln Labs and Florida State University respectively.

As an invitation to other researchers to try and break Shuffler, Williams-King is currently running the software on his personal website, where he can check that the code is shuffling and whether anyone has attacked the site by reviewing the program’s logs.

On computation-heavy workloads, Shuffler slows programs by 15% on average, but at larger scales—a webserver running on 12 CPU cores, for example—the drop in performance is negligible.

This versatility means that software distributors as well as security-conscious individuals could be potential end users. “It’s the first system that is trying to be a serious defense that people can use, right now,” said Williams-King.

Shuffler needs a few last improvements before it is made public. The researchers say they want to make it easier to use on software they haven’t yet tested. They also want to improve Shuffler’s ability to defend against exploits that take advantage of server-crashes.

The study’s senior author, Junfeng Yang, a Computer Science Professor at Columbia Engineering and member of the Data Science Institute said: “Billions of lines of vulnerable code are out there.”

Yang added: “Rather than finding every bug or rewriting all billions of lines of code in safer languages, Shuffler instantly lets us build a stronger defense.”

More information: TechXplore

Comments are closed, but trackbacks and pingbacks are open.

404 Not Found

404 Not Found

nginx/1.18.0 (Ubuntu)