back to article Ex-Google, Mozilla bods to outwit EVIL BOTS with 'polymorphic' defence

Startup Shape Security is re-appropriating a favourite tactic of malware writers in developing a technology to protect websites against automated hacking attacks. Trojan authors commonly obfuscate their code to frustrate reverse engineers at security firms. The former staffers from Google, VMWare and Mozilla (among others) …

COMMENTS

This topic is closed for new posts.
  1. Crisp

    It seems like a rather long winded way to say:

    Security through Obscurity.

    1. James 51

      Re: It seems like a rather long winded way to say:

      Perhaps but the article implies that the code is continiously shifting and so has a better chance of staying obscure. Even if you manage to sucessfully attack the site once, it will change the next time you visit the page rending the previous attack less effective without any extra action by the owners of the site. Clever if it works.

      Can't help but be reminded a little of the cyber warfare in GitS, in particular viruses that used the defenses of a system as an essential piece of their functionality. Let the arms race begin.

      1. cyborg
        Boffin

        Re: It seems like a rather long winded way to say:

        "Can't help but be reminded a little of the cyber warfare in GitS, in particular viruses that used the defenses of a system as an essential piece of their functionality."

        That's how viruses in real life work.

        1. James 51

          Re: It seems like a rather long winded way to say:

          I didn't paraphrase the footnote very well. The virus doesn't exploit weakness in the AV to bypass it and infect the system, the virus is a fragement of a full program and actually lifts the AV code to complete itself.

          1. cyborg
            Boffin

            Re: It seems like a rather long winded way to say:

            "The virus doesn't exploit weakness in the AV to bypass it and infect the system, the virus is a fragement of a full program and actually lifts the AV code to complete itself."

            Yeah, that's par for the course in biology as far as viruses are concerned.

  2. knarf

    Debug That Sir!

    Not sure I'd like to debug those web applications. The logs would indeed by odd.

    1. Renan "C#" Sousa

      Re: Debug That Sir!

      I think it would be like minified script debugging. Minified scripts are inintelligible, but for most technologies a dev can replace them with a non-minified version of the same code on the fly for debugging purposes.

    2. Anonymous Coward
      Anonymous Coward

      Re: Debug That Sir!

      I suspect the logs will be unchanged. I think this thing is basically a reverse web proxy that fiddles with the URLs. Perhaps a little like a NAT for http (shudder).

      Cheers

      Jon

  3. Dan 55 Silver badge
    WTF?

    How does that work then?

    Mondays, Wednesdays and Fridays we've got SQL injections on offer and Tuesdays, Thursdays, and weekends we've got buffer overflows going cheap?

    Either you program it properly or you don't.

    1. Real Ale is Best
      Boffin

      Re: How does that work then?

      Ok, clever clogs. Write me a thousand lines of bug free code.

      1. Matt 21

        Re: How does that work then?

        I imagine the idea is that the page is changed every time it is loaded. The changes would, I imagine, amount to changing the names of objects like text boxes, Javascript functions and session variables, among other things.

        It sounds like the software also does auto filtering of posted data to guard against SQL injections.

        Probably other stuff too which I can't guess at :-)

      2. Anonymous Coward
        Anonymous Coward

        Re: How does that work then? @Real Ale is Best 12:53

        "Ok, clever clogs. Write me a thousand lines of bug free code."

        You don't need to be able to do better to tell when someone's cocked up. Try a valid counterpoint in future.

        1. Real Ale is Best

          Re: How does that work then? @Real Ale is Best 12:53

          You are missing my point. In any large software project there will always be bugs.

          Writing a large quantity of bug free code is nearly impossible, or at best, requires a huge amount of effort.

          1. Dan 55 Silver badge

            Re: How does that work then? @Real Ale is Best 12:53

            Yes, writing bug free code is difficult and requires a large amount of effort but that's the only way to stop bugs being exploited. Randomly changing stuff doesn't get rid of the bugs, it just makes it harder to debug.

      3. Crisp
        Coat

        Re: Write me a thousand lines of bug free code.

        That's easy!

        10 PRINT "Hello, world!"

        20 PRINT "Hello, world!"

        ....

        996 similar lines snipped.

        ....

        9990 PRINT "Hello, world!"

        10000 PRINT "Hello, world!"

        There you go! Totally bug free!

        (It doesn't do anything, but then that wasn't in the requirements)

  4. M Gale

    So co-opt the browser engine?

    Rather than scraping the site and parsing hypertext directly, automate a browser. Find out where the relevant UI elements get rendered in the page and from then on it's "that input element at that position, whatever it's called and however many zero-margin DIVs it's embedded in."

    And yay, yet more patents pending on software. Guess this'll be kicked into the long grass for the next 25 years, then.

    1. Roo

      Re: So co-opt the browser engine?

      This sounds like a neat trick to make malware writer's lives a lot harder... It won't be invincible, it isn't a substitute for well written code, but it could dramatically increase the amount of effort malware writers have to expend, which would be a good thing. It could help browsers to identify replay attacks as well.

      On the downside it's going to break caching of web pages which could trigger an upswing in traffic. But on the upside it'll make traffic interception more interesting and hopefully a bit more expensive. ;)

  5. Anonymous Coward
    Anonymous Coward

    Basically just means giving your form elements different names for every visitor. Have been doing this for years.

  6. Crazy Operations Guy

    Yet another appliance...

    I don't need any more crap in the network racks when I already have the BGP routers, forward firewalls, load balancers, anti-malware engine, IDS/IPS system, web cache appliance, vpn gateways, rear-facing firewalls, packets shapers...

    Typical Web 2.0 idiot programmer thinking: "I have no time to check my code for security bugs, I'm too busy inventing the next InstaSnapLinkedFaceGram+. Lets just make something to cover this up and make it the responsibility of the Dev/Ops team!"

  7. Valeyard

    their biggest customer..

    ..Would surely be sites offering products they don't want scraped for comparison sites etc?

    As someone who does automated testing i was a bit scared til i saw the underlying code doesn't have to change, so it's still nice and static in dev...

This topic is closed for new posts.