Determina pre-hacks applications against intruders

Malicious hackers are constantly exploiting software vulnerabilities. Vendors and IT staff alike spend countless hours racing to update protection signatures and install patches before their exposed systems can be compromised. It’s a never-ending battle that favors the hackers.

A few years ago, a group of MIT scientists -- who had begun working on in-line compiler optimization technology back in 1999 -- realized that their compiler technology could protect enterprise applications in a new, pre-emptive way. Rather than merely “closing the barn door,” IT could build defenses on the fly based on application behavior. From that realization was born Determina, named for the deterministic algorithms underlying its technology.

Traditional approaches to intrusion detection look for changes in program behavior that take place after a successful attack, based on well-known signature patterns. Often, they mistakenly flag abnormal yet harmless behaviors, such as those caused by bugs or unusual scenarios that have not yet been modeled in the threat-detection systems, notes Determina CTO Saman Amarasinghe, who developed the original compiler optimization technology. Hackers can eventually defeat such systems by finding ways to produce normal signatures.

Determina’s Memory Firewall takes a different approach to monitoring. By essentially “pre-hacking” applications, it can monitor what’s happening inside them and detect and prevent attacks as they begin. “We will look for the root cause,” Amarasinghe says.

Determina forces all applications to run in a managed program execution layer akin to how VMware runs an operating system in a virtualized layer. “Every instruction is run by us,” Amarasinghe says. Memory Firewall doesn’t have to guess from outside as to what is actually happening in the software, which in turn eliminates false positives and masked signatures.

Some security tools use an emulation layer to run application code to detect polymorphic viruses, but that can slow down software execution a hundredfold -- which means emulation must be used sparingly. By contrast, because Determina’s technology was originally designed to optimize compiler execution, its performance hit is less than 5 percent, enabling Memory Firewall to check every instruction and state.

Memory Firewall detects most hacker attacks, but not all, Amarasinghe admits. Some attacks exploit vulnerabilities in code -- frequently in quickly produced software patches -- such as forgetting to check buffer condition. “Vendors no long produce patches just every six months, so there’s not enough time to do full QA,” Amarasinghe says.

So Determina developed a second innovation: LiveShield, which performs such checks on both the original code and the patches. It then soft-patches the code, typically changing just a few bytes. This gives IT breathing room to thoroughly test the patches for other issues.

Everyone now realizes that security goes far beyond securing the network perimeter. Determina offers an innovative solution that cleverly addresses the problem at the app level.

Click for larger view.