Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.
This week I spoke to Andrei Homescu, the cofounder of Immunant Inc. Andrei recently completed his PhD from UC Irvine, where, among other things, he researched the use of software diversity to harden applications against a variety of attacks. It was fascinating for me to talk to someone who’s at the forefront of the research in the security space, but is also now applying that at his own company. Check out the awesome interview below!
In your paper on thwarting side channel attacks, you mention that existing software diversity techniques transform each program trace identically, whereas your method makes each program trace unique. Can you explain what this means and why your way is better?
That’s more of a technical distinction between static software diversity, where you produce different versions of programs, but always run one of those versions, and dynamic software diversity, where you randomly decide during execution what you’ll do next. The whole idea is to move the randomized decisions (the diversity) from before its program is executed into its execution, and make the execution itself more dynamic.
I’ve previously done a lot of work on static software diversity as well, the problem there is that once the adversary figures out which version you’re executing, they can easily adapt.
On a related note, can you explain the problem that Readactor, the product you created, solves? Have you ever considered commercializing it?
Readactor is another way to solve one problem that static diversity faces: the attacker can adapt to your changes by reading the program post-diversification. One way to fix this is by preventing them from reading the code. I’ll come back to commercialization below.
What’s the usual end goal for people looking to exploit side channel vulnerabilities?
The usual goal is to extract information, like encryption keys or passwords.
What’s the current state of software diversification. Are there effective commercial methods that currently exist
There’s not a lot of commercial diversification, I guess the most popular one is ASLR (Address Space Layout Randomization), which is now integrated in all operating systems (Windows, Linux, Mac OS). I’m not really sure about other diversification software. Software diversity is a very popular topic in academia right now.
A lot of your work involves securing code; what do you think about tools like Checkmarx which identify known vulnerabilities in code as developers are writing it?
I’m not very familiar with those tools. In a more general sense, static analysis of programs is a great approach, but I think it’s more complementary to low-level approaches like diversity and control-flow integrity, rather than complete replacements. While you’re analyzing code, finding bugs and working on fixing them, it can help to also have a blanket defense that prevents some unknown/unexpected attacks before they’re patched.
What’s the path that led you to the study of securing software?
I started my PhD in 2010 and joined Professor Michael Franz’s group at UCI, and I worked on software diversity as a member of his team.
You seem very entrepreneurial, do you have a plan for what you want to do after you finish your PhD?
I finished my PhD this June, I’m now working with a few colleagues on commercial applications for software diversity. We started a company called Immunant Inc (it’s still very early stage, don’t have a lot to say about it yet).
- CyberArk paid $30.5 million for Boston-based Viewfinity, which it expects will add $7-9 million in revenue in 2016. Viewfinity controls user permissions on Windows networks.
- The bug bounty provider has also tripled its employee count since 2014.
- The incident response market is young, but the existing firms–Hexadite, Resolution1, DF Labs and ID Experts are seeing tremendous growth. Resilient doubled its headcount in the past year to 80 employees.
- The Israeli company uses “polymorphism” to protect against targeted and zero-day attacks.
- The round was led by JMI and NEA with participation from Accel and Split Rock. CEO Joe Payne says that the company wants to begin collecting and using data about employees’ backups to expand beyond just backing up employees files.