Binary Randomized Security

Cybersecurity Center

This post was originally written by IoT analyst Scott Shagory and appears on his website.

RunSafe Security is a cybersecurity startup and Mach37 graduate focused on providing security solutions to firms and agencies in the domain areas of national security, critical infrastructure, data centers, Industrial Internet of Things (IIoT), and, in the future, healthcare device manufacturers. The startup’s methodology is to harden and protect software code – apps, middleware, OS, container, hypervisor, or firmware – actively running in-memory via runtime application self protection (RASP) and moving target defense (MTD) techniques. 

Hardware manufacturers build devices, such as telematics, lighting systems, actuator motors, flow control meters, and thousands of other devices, with embedded binary images that are identical. Thus, if a team of adversarial hackers were to learn the active in-memory software organizational structure of one device and combine this knowledge with an effective deployment and scaling structure, this team would know how to attack any device with the same embedded binary image with a malware attack.

In brief, malware attacks come in forms many are familiar with: ransomware, bots, adware, root kits, spyware, remote access tools, viruses and the like. Most successful malware attacks occur through email, web, or a compromised supply chain passing by traditional firewalls, antivirus software, and various system policy rules. The most successful attacks leverage human unpredictability as the weakest system link.

Founded in 2015 and lead today by CEO Joe Saunders, Doug Britton, Simon Hartley, and Lisa Silverman, RunSafe created Alkemist, a product designed to disrupt hacker economics and protect critical infrastructure. The framework for neutralizing these attacks centers on transforming code loaded in-memory to add hardening and to appear different via randomization. Like a snowflake, identical embedded devices provide the appearance of having unique sets of software files in kernel, user, variable, and thread space. Thus, a malware attack lacks the uniformity needed to scale to other devices, eliminating an entire class of cyberattacks by shrinking the attack surface.

As a security method, randomization is not particularly new. In 2012, Joseph Feiman, then at Gartner Research and now at Veracode, a RunSafe Competitor, coined the term RASP and advocated for it as an approach to better security. The RASP security domain is expanding rapidly and there are plenty of competitors in the space. Participants include IBM, HP, WhitehatVeracodePromonGuard Square NV, and others. However, the global consultancies have partnerships rather than core products and the smaller participants are focused on other market segments, such as mobile.

What is unique and innovative about RunSafe’s approach to randomization and security is their three pronged solution.  First, they randomize every in-memory binary: functions and libraries. Second, they randomize the ordering of blocks to eliminate attacks where software functions can be called out-of-order to insert malicious code. These are known as Return/Jump Oriented Programming (ROP/JOP) attacks. Third, they randomize memory set aside for input variables as they are sourced into the code stack. 

Thus, every line of code, variable, thread, and memory block that is called or utilized has randomization and hardening applied to thwart an attacker from understanding the memory topology of a device for malicious replication across a system. All of these actions are performed once per binary and/or in real time with a patented low overhead footprint. There are no changes made to the compiler, OS, application, variable inputs, or threads. As a result, legacy infrastructure systems can remain untouched with RunSafe’s RASP serving as a wrapper and shield. 

RunSafe’s default stance is to take an action – which still is not the norm. Many cybersecurity firms still focus overwhelmingly on alerts and reports through filtering, identifying anomalies and solving any security issue via patching, compliance and remediation. Industry assumptions remain that if the filtering and centralized network controls are sophisticated enough, and the patch schedule followed religiously, security is the most likely outcome. However, the reality is very different.

As a strategist, I find RunSafe compelling because the firm focuses on differentiation, makes clear tradeoffs, and organizes internal activities differently than rivals. They also care deeply about cybersecurity and ultimately want to make real security available to as wide an audience as possible.

First, the firm begins with first principles on security and important stakeholder decision making – including nefarious participants – in the cybersecurity ecosystem. Gone is the focus on centralized network security, more and faster hardware, and the culture of security perfection. RunSafe assumes all the underlying hardware – integrated circuit boards, chipsets, graphic and expansion cards, interfaces, sensors – of an embedded device is compromised. The firm’s literature and history as a DARPA project emphasize this security challenge.

In addition, their approach to security assumes the software running on a device/system has lots of security problems – susceptibility to buffer overflow, heap, and stack attacks in organizational and third party apps, libraries, and frameworks – and is therefore susceptible to exploitation. 

Moreover, they assume active human system involvement will add another layer of vulnerability. For example, system administrators who incorrectly sources environment variables or developers inadvertently bridging a control or air gap, introducing malware via compromised software or hardware. RunSafe assumes a device or system from bare metal, through the hypervisor, past the OS, encompassing the application, and everything that application sources, is compromised in some way.

Second, they define adversarial hackers – APT teams, state sponsored agents, corporate espionage organizations – in economic, not emotional terms. Most cybersecurity firms use emotion and fear to sell their products and services because people don’t really want to buy them. Companies often define cybersecurity as a cost center and not a strategic or brand asset. By focusing their message around the strong underlying economic incentives of an attack, RunSafe helps frame both their value proposition and lead their communication approach in a competitive space around getting at the impetus of an attack – economic gain – and thwarting it in real time. 

Third, RunSafe has spent considerable time making their Alkemist product easy to use. Whether through a simple UX web interface or via a hypervisor in a private cloud environment, the focus is on an end user experience that doesn’t require someone to be a cybersecurity professional. Complimenting this ease of use are methodologies for scaling repeatability – that is without customization.

Fourth, an early adopter of RunSafe’s solution has been the U.S. intelligence community. As a DARPA spinout project this is no surprise. But such early adoption often comes at a price in the form of product, market, and service optimization that limits scale for the private sector. The team appears mindful of this potential trap and has taken a number of external and internal steps to avoid the pitfall. Early market beachheads include the data center market – physical plant infrastructure and virtualized software platforms – the autonomous transportation market, and the energy space. Meaningfully, the team has previous domain experience in these markets. A move into medical devices will come later. 

Finally, the team has a good sense of their “why” and the core motivation behind RunSafe Security. The team is building confidence, fostering trust, and providing integrity where it does not really exist. Similar to a forest that is vulnerable and infected from its root stock out to its leaves, the purpose of RunSafe is to isolate infection, build resistance, and prevent contagion. The team wants to make computing environments in several domains safe and secure with a technical approach to security that is unique, where the economic motivations of counter parties are fully addressed, and where decision makers – technical staffs, supply chain partners, leadership teams – feel confident about the integrity of their critical infrastructure. Fear often creates paralysis and RunSafe breaks this chain of doubt and uncertainty.

Around the topic of risks, there are two in my mind. First, the founders view their security approach as having broad applicability and I would agree. Essentially, any software device/platform that utilizes memory is relevant. As a current team of eleven, with an expectation to add twenty-five in 2019, will the firm’s product be too much of a good thing? CEO Saunders spoke a number of times about repeatability and automated deployment is going to have to become a well oiled machine. 

Second, the human talent RunSafe needs to grow is in short supply and the founders – with their significant industry experience – cannot scale. Company culture and knowledge transfers only so fast. CEO Saunders discussed the importance of CTO Britton’s role in finding the right development talent with skills honed from previous roles and a large professional network.

Neither of these challenges are new and every startup has both, but given what Alkemist solves for a very wide audience – even as they focus on a few beachheads – the challenge to say ‘no’ or ‘not now’ to new verticals could strain the team in significant ways.

Final Thoughts

In the early 1990s I worked as an assistant project manager for Andover Controls, a DDC systems automation building management solutions provider, in the UK. At the time, Honda Europe was consolidating their European operations in Swindon at an old RAF base. Andover Controls won the contract to install the heating and cooling systems in a number of plant areas designed to build European Civics. Twice a day I’d walk a loop of about 1.5 miles to visit areas we were responsible for because HVAC systems were isolated and siloed. While some industrial and OT environments remain walled off many are not and are therefore ripe for malware exploitation given all of the vulnerabilities discussed here.

RunSafe is focused on industry domains with fragmented and uneven security architectures with a product designed to work in any computer memory environment, regardless of the legacy architecture. Thus, if a firm is running Windows 3.1 or Windows 95 to control valve pumps in a cooling system, Alkemist can run seamlessly with that legacy OS to protect the device. Alkemist can also run seamlessly on current cloud based infrastructure. Industrial clients can get the best of both worlds as they build world class products needing security and modernize their infrastructure with the same security tools and approach.

I look forward to watching how RunSafe grows over the next eighteen months and getting back in touch for an update on their progress. 

Stay tuned.