Dorothy Ryan | Lincoln Laboratory
June 14, 2019
Popular commodity software applications, such as browsers, business tools, and document readers, have been the target of sophisticated cyberattackers who find vulnerabilities in the application code to gain entry into and compromise an enterprise. Significantly contributing to large-scale cyberattacks is the homogeneity of these commodity applications. Because all installations of such applications look alike, when perpetrators develop an attack against an application, they can easily undermine millions of computers at once. Moreover, the closed-source nature of these applications makes them notoriously hard to defend because protection techniques often require access to the application’s source code.
MIT Lincoln Laboratory has been conducting R&D on technology that will protect commodity Windows applications from attack. The technology, Timely Randomization Applied to Commodity Executables at Runtime (TRACER), has been licensed by a major cybersecurity company and will soon be offered as part of a security suite to protect enterprises.
TRACER protects Windows applications against sophisticated, modern attacks by automatically and transparently re-randomizing the applications’ sensitive internal data and layout at every output from the application. Other randomization technologies, such as techniques to randomize the memory layout, the compiler-based code, or the instruction set, employ a one-time randomization strategy that can make these technologies susceptible to data leakage; hence, attackers can exploit that information leakage to analyze the method of randomization and then subvert it. By re-randomizing the sensitive internal data and layout of an application every time any output is generated, TRACER renders leaked information stale and resists attacks that can otherwise bypass randomization defenses.
TRACER was developed for use with Windows applications because of their ubiquity. Reported estimates are that more than 90 percent of desktop computers run Microsoft Windows with commodity applications.
TRACER is an attractive package for organizations seeking to protect their Windows-running systems. It prevents the most common and highly advanced control-hijacking attacks against Windows applications. It is implemented as a single dynamic link library file that takes minutes to install on a machine and is seamless to operate after the initial installation. It does not interfere with normal maintenance, patching, software inventory, or debugging facilities of an enterprise network. And, perhaps most importantly to companies, TRACER does not require access to the source code or modification of the Windows operating system.
TRACER’s R&D was led by Hamed Okhravi of Lincoln Laboratory’s Secure Resilient Systems and Technology Group and included contributions by Jason Martin, David Bigelow, David Perry, Kristin Dahl, Robert Rudd, Thomas Hobson, and William Streilein.
“One of our primary goals for TRACER was to make it as easy to use as possible. The current prototype requires minimal steps to set up and requires no user interaction during its operation, which we hope facilitates its widespread adoption,” Okhravi says.
The team is currently conducting R&D on a foundationally secure computer design for the future of computer systems.
TRACER was developed under the sponsorship of the U.S. Department of Defense and the Department of Homeland Security Science and Technology Directorate.