For as long as people have been writing software there have always been simple coding mistakes which could open doors to hackers; allowing them to access secure information, delete important files, and “carrying out political mischief.” A new program, created by the Columbia University School of Engineering and Applied Science, called Shuffler presents a new method to providing protection against such attacks. To prevent possible attacks, Shuffler allows programs “to continuously scramble their code as they run, effectively closing the window of opportunity for an attack.”
“‘Shuffler makes it nearly impossible to turn a bug into a functioning attack, defending software developers from their mistakes,'” said the study’s lead author, David Williams-King, a graduate student at Columbia Engineering. “‘Attackers are unable to figure out the program’s layout if the code keeps changing.'”
Shuffler has been developed to randomize small blocks of a program’s code every 20 to 50 milliseconds, “imposing a severe deadline on would-be attackers. Until now, shifting around running code as a security measure was thought to be technically impractical because existing solutions require specialized hardware or software.” Running alongside the code it protects, Suffer even randomizes its own program to provide the best possible security.
The Shuffler program, however, is not yet available to the public. Researchers say they want to improve its ability to defend against “exploits that take advantage of server-crashes” as well as makinging it easier to use on untested software. “‘Billions of lines of vulnerable code are out there,'” said the study’s senior author, Junfeng Yang, a computer science professor at Columbia Engineering and member of the Data Science Institute. “‘Rather than finding every bug or rewriting all billions of lines of code in safer languages, Shuffler instantly lets us build a stronger defense.'”