Skip to main content

REactively Defending against Advanced Cybersecurity Threats

Periodic Reporting for period 1 - REACT (REactively Defending against Advanced Cybersecurity Threats)

Reporting period: 2018-06-01 to 2019-05-31

"Despite the advances in system security of the last decades, advanced cyber-security threats can still compromise software and disrupt the operation of large networks. In many cases the cyber attackers target anything that can be attacked: computers, laptops, tablets, IoT devices - anything. Although software development has significantly involved, most software systems still contain vulnerabilities (software bugs). Many of these vulnerabilities can be exploited by cyber attackers in order to compromise and control the target systems. Indeed, once software is exploited, attackers can further instrument it to perform their operations and malicious actions.

To deal with vulnerable software, most software vendors periodically release software updates (or ""software patches"") that improve the functionality and patch some of the vulnerabilities. Unfortunately, from the time a vulnerability is discovered (usually called ""zero day"") until the time the patch is applied it may take days or even weeks. There is a wide variety of reasons for this delay: software vendors may take more than expected to release a patch, computer users may take a few more days to apply the patch, patches may be temporarily disabled, etc.

During this interval (between ""zero day"" and patch application), the un-patched computers are vulnerable to exploitation.
ReAct came to fill this gap - to reduce the window of vulnerability and ""fortify"" the vulnerable computer until the patch is available. Using advanced hardening approaches, including ""selective fortification"", ReAct applies an automatically generated temporary real-time patch that neutralizes the vulnerability until an official patch is installed. In this way, ReAct closes the window of vulnerability and does not allow attackers to compromise the vulnerable computer.

But ReAct does not stop here. Being an ambitious innovative project ReAct asks a bold question: ""Can we protect a computer before ""day zero""? Can we protect the computer before we know about its vulnerability?"". ReAct makes a bold step towards this direction and responds ""Yes! in several cases we can protect vulnerable computers even before day zero"". This can be done by advance cyber intelligence approaches. Indeed, using advanced telemetry we collect a number of features about a computer and using a sophisticated Artificial Intelligence Model we predict whether a computer with these features has a higher probability of being compromised in the future. For example, if a computer runs a lots of unknown applications, has too many open ports, and has a poor security incipience, then it has a higher probability of being compromised in the future. For those computers that are deemed ""high risk"", ReAct proposes the application of hardening and selective fortification even before any vulnerability is discovered. In this way the computer is hardened against future vulnerabilities (which have not been discovered yet).

All in all, ReAct proposes a holistic approach that aims to protect computers throughout their entire lives.
"The partners have achieved scientific breakthroughs in a a number of areas including:

Detection of computers that are about to be hacked. This is a very difficult area of work. Although it is relatively easy to find our if a computer has been compromized (i.e. hacked), it seems utterly difficult, if not impossible, to determine if a computer will be hacked in the future. Indeed, as Niels Bohr, the Nobel Prize Laureate, said ""predicting is very difficult, especially if it is about the future"". In ReAct, we attempt to do just that: predict the future security stance of computers. Using advanced Artificial Intelligence approaches and combining a number of signals about the security hygiene of current computers, ReAct researchers have managed to predict whether a computer will be compromised. Even better they managed to do this prediction with very high accuracy - sometimes higher than 95%. This means that they can (with 95% certainty) identify the computers that need to be protected better so as to be able to withstand future attacks.

Detection of software bugs. Cyber attackers who penetrate computers usually exploit a vulnerability (a bug) that exists in the software of the computers. Detecting such software bugs can be notoriously difficult. Indeed, if it were easy, the software development companies would have found them before the attackers. In this line of work, ReAct researchers have developed ""fuzzing"" approaches that are able to detect bugs even when these bugs are hidden deeply in the software and even when they are triggered by very infrequent combination of external events. Using their approach they have identified several bugs that exist in commonly used software programs helping the community to patch the bugs and make software harder to be exploited by attackers.

Detection and Mitigation of Software-controlled hardware bugs. When we talk about security we usually refer to software: buffer overflows, software bugs, software vulnerabilities, trapdoors - everything in software. However, bugs can also exist in hardware. ReAct researchers have demonstrated how to ""trigger"" hardware bugs that can eventually lead to breaking cryptography and compromising data and communications. The idea is simple: repeatedly reading (hammering) a memory location may result in changing the value of a different memory location, possibly belonging to another application. This bug, called rowhammer in the colorful language of computers, although simple to describe, is very difficult to fix. The core of the difficulty lies in the fact that it is not a software bug: it is a hardware bug and thus can be completely and properly solved only in future hardware versions of the effected devices. For their work, Researchers of ReAct have received numerous awards, including an Intel Bounty Reward."
ReAct has just finished its first year. In the next two years, ReAct researchers will enhance the produced results, integrate the components into an easy-to-use dashboard and will active push the exploitation of the results.
Impact of the ReAct project