Memory Firewall monitors apps at run time

Saman Amarasinghe, Derek Bruening, and Vladimir Kiriansky

When it comes to foiling hackers, Saman Amarasinghe views the world in stark terms.

“There is a black-and-white line,” says Amarasinghe, an associate professor at Massachussets Institute of Technology and CTO of Determina, maker of a host-based intrusion prevention system based on what the company calls Memory Firewall technology. “White is what a program would normally do. Black is what an exploit would force it to do.”

To better protect the Windows operating environment from intrusion, Amarasinghe teamed up a few years ago with two MIT students, Derek Bruening and Vladimir Kiriansky. Their efforts eventually produced Determina’s SecureCore IPS, which inspects applications at run time to ensure that none is executing malicious code.

For at least a year before SecureCore hit the market, the developers marshaled a small army of security experts and attacked it with “almost every [software] exploit known to man,” Amarasinghe says. The result was “an unbreakable system we’re all pretty proud of.” In its battle tests just before its release, SecureCore prevented numerous viruses from executing on Windows server and desktop systems in Determina’s lab.

When the product was merely a gleam in the developers’ eyes, “We were building compilers and looking closely at applications to build a dynamic optimization system,” Bruening recalls. “There are a lot of rules broken at the lowest level that programmers aren’t necessarily thinking about.”

Determina describes the technology as a Memory Firewall because, instead of using signatures to detect malicious code, SecureCore monitors individual program instructions for violations of good coding principles — the assumption being that any malicious activity will break the rules for how well-behaved applications work. Whenever SecureCore detects an attempt to hijack a critical Windows service or application, such as Microsoft’s IIS and SQL Server, it steps in before the code can execute.

SecureCore doesn’t guard against other types of attacks, such as DoS or cross-site scripting attempts — a primary reason that Determina stresses the importance of layered security architecture. You still need firewalls and anti-virus software.

“The world of attacks is almost infinite,” Amarasinghe notes. “But we went where the attackers go, which is after vulnerabilities in the software. If you attack an area where no human is in the loop, then you’re attacking at the speed of light. Where security is concerned ... you have to get it 100 percent right.”