Revolutionizing Zero-day Exploit Protection: Hardening Code with Load-time Function Randomization

Join runSafe’s Doug Britton as he provides a comprehensive exploration into how robust code hardening techniques effectively tackle the intricate challenges posed by zero-day exploits, thereby safeguarding against vulnerability exploits.

Defending Against the Unseen Threats

At RunSafe Security, our team has conducted extensive analysis to assess the efficacy of load-time function randomization, especially in the context of mitigating zero-day exploits, which are inherently unpredictable and pose significant threats to software systems.

Our investigation began with rap gadgets, which serve as fundamental components akin to Lego pieces in an attacker’s arsenal, particularly for targeting memory vulnerabilities. Through meticulous examination of thousands of open-source binaries, we meticulously extracted essential statistics pertaining to functions and ROM gadgets.

We observed that the average binary comprises approximately 220 functions and over a thousand rap gadgets, averaging nearly 5 gadgets per function. Notably, a considerable number of functions lacked gadgets, with a staggering 95% having fewer than 30 gadgets. Out of the 245,000 functions scrutinized, only a mere handful possessed 500 or more gadgets.

Subsequently, leveraging publicly available tools like Rapper, we endeavored to evaluate the presence of rap gates in the binaries. Our findings were revealing, indicating that 25% of these binaries harbored functioning chains capable of potentially granting unauthorized access to the device.

This alarming discovery underscores the significance of addressing vulnerabilities, especially given that vulnerabilities occur at a rate of 7 to 12 per 1,000 lines of code, as highlighted by NIST and other reputable studies.

Enter RunSafe Security: code hardening with load-time function randomization. With an average of 220 functions per binary, this approach results in an astronomical number of load combinations, approximately equivalent to 2.284 times 10 to the power of 420.

The implications are profound, as this strategy significantly enhances entropy, thereby severely restricting an attacker’s options. Instead of having access to a myriad of rap gadgets, attackers are confined to the gadgets within the specific vulnerable function, with an average of less than 5 per function.

Upon conducting a thorough reassessment of the binaries, we made a remarkable discovery—none of them exhibited function-level rap chains. This outcome underscores the effectiveness of RunSafe’s load-time function randomization in fortifying software systems against potential threats.
This robust defense mechanism instills confidence, even in the face of future zero-day vulnerabilities, as systems protected by RunSafe’s measures offer resilient protection, leaving attackers with minimal avenues for exploitation.

How Much of Your Attack Surface Can You Reduce?

Get a free report in 5 mins

(No contract / no credit card needed)