OnSystem Defender

Using Patent-Pending Software and Hardware-Assisted Micro-Sandbox Technology to Stop Attacks Allowed by Programming Errors in All Applications

Problem

Looking at an endpoint from the security point of view:

  • Network defenses within and outside of the endpoint have improved
  • Operating system quality has improved and sandboxing mechanisms have given applications (Apps) on endpoints a safer environment to run in
  • Current host-based products (AV, HIDS, HIPS, monitors, etc.) do an acceptable job of flagging bad files (dlls, and other static content) to protect Apps against malicious payload types coming in through well-known channels (email, web download, etc.)
  • However, App-centric defenses have not improved

95% of Day 0 Advanced Persistent Threats (APTs) Use "Memory" Programming Errors in Applications to Take Over an Entire System and Migrate to Other Systems

  • Exploits can manipulate the memory of vulnerable applications to load and execute arbitrary code (aka Code Injection)
    • Exploit first establishes a small beachhead and then loads the remainder of the payload over the network directly into memory
    • Exploit code runs only in memory
    • Often used to exfiltrate sensitive information off the box or pivot to another vulnerable system
  • Exploits can also use existing code snippets within an application to perform desired operations (aka Return Oriented Programming or ROP)
  • Particularly troublesome for complex applications with code execution engines like browsers, Adobe Flash, Adobe Acrobat Reader, and network facing service applications like web servers, database servers, etc.
  • Undetectable by existing host-based (AV, HIPS, HIDS, etc.) and network-based (Firewalls, NIDS, etc.) security products
  • Current App-centric solutions loaded into Apps are ad-hoc and based on "generic" indicators of compromise
    • Stack was pivoted
    • Address randomization was disabled
    • DEP was turned off
    • ...
  • All Current solutions can be bypassed since they don't have any runtime hardware enforcement to protect an application from loading arbitrary code from the attacker (code injection)
    • Attackers can bypass generic indicators of compromise
    • If code injection is not stopped, the game is over

 

Solution

Use Patent-Pending Micro-Sandbox Technology to Solve the Problem (not just deal with it after the fact or simply report on it later after the breach)

What is a Sandbox? (the Current State of Art)

A set of rules enforced during an application's execution that limits what the application can/cannot do; the rules are generated by observing normal behavior

What is a Micro-Sandbox? (Our Invention)

A set of rules enforced by software and hardware during an application's execution that limits what a code segment within the application can/cannot do; the rules are generated by observing "normal" behavior (among other methods).

The necessary methodology, tools and infrastructure to implement (by us, by the community, by third parties, and by customers) the concept on all operating systems and endpoint form factors.

First Product Release: Implement a Micro-Sandbox Dealing with Memory Attacks for all Applications

  • Control allocation of memory segments that are both writable and executable
  • Control changing the permissions of existing memory segments to add execute access
  • Control loading of executable modules
  • Create additional Micro-Sandbox rules for specific privileged operations for applications of interest, for example JAVA Manipulation of security objects
  • Add applications as necessary
  • Work toward making this community-based approach the de facto standard in the industry
  • Work with software makers to create their own Micro-Sandboxes to release with their software (initial release and updates)

Technology Applies to All Endpoints from Mobile Devices to Enterprise Servers and to All Operating Systems (Windows, Linux, iOS, Android, etc.)