Shape-Shifting Website Code: The Solution to Ever-Changing Threats?

While antivirus and tech-security companies search for ways to detect and deflect current threats, hackers are creating a host of new viruses, rootkits and Trojans. But according to a recent WHIR article Google-backed startup Shape Security may have the answer to constantly changing threats: polymorphic code.

But can it really work?

Many Shapes, One Intent?

What is polymorphic code? Put simply, this kind of code dynamically changes to achieve the identical results but appear different each time it is run. Consider a math problem for comparison: 10-7 and 2+1 yield the same answer, but the equations look completely different. To create this combination of changing exterior and static interior, polymorphic code is encrypted. Each time a program executes, its encryption and decryption keys are rewritten, making it almost impossible to detect.

Not surprisingly, polymorphic code got its start on the wrong side of the tracks. As noted by the Computer Security Resource Center (CSRC) in its “History of Viruses,” variable encryption arrived in 1989 with the 1260 virus, coded by Mark Washburn. The virus was built on Ralph Burger’s Vienna virus source code, but Washburn made it more difficult to detect by randomizing its decryption algorithm. Hacker Dark Avenger created the Mutation Engine in 1992, which could be attached to any malware and make it polymorphic.

Google’s Polymorphic Gambit

Shape Security is filled with former Google staffers, so it’s no surprise the search giant has contributed part of the $26 million initial investment. The company’s big idea is to take static elements on a webpage — HTML, JavaScript or CSS code — and make them dynamic. Instead of giving hackers a stable, steady target to shoot for, the ShapeShifter appliance rewrites web code so that each examination of a page is different — in other words, it uses polymorphic code to deflect instead of attack. As Shape Security CEO Derek Smith puts it, “Rather than guessing about traffic and trying to intercept specific attacks based on signatures or heuristics, we allow websites to simply disable the automation that makes these attacks possible.”

Experts are split on the potential impact of Shape’s solution. A recent ZDnet article notes that using polymorphic code for white-hat endeavors could affect the economics of large-scale malware attacks; at the very least, hackers would be forced to stop relying on automated attacks. But as Jeremiah Grossman, CTO of WhiteHat Security, pointed out in a recent Forbes piece, Shape has to persuade security pros that they should add another appliance and also reassure them that polymorphic code won’t slow down websites or negatively affect the user experience.

Everyday Polymorphism?

To combat online threats, most reputable web hosts offer access to real-time security-monitoring services, many of which boast detection rates of over 95 percent. Polymorphic code, however, isn’t designed to take the place of detection and disinfection services; rather, it acts as a frontline deflection method, virtually eliminating static elements on a web page.

As software engineer Peter Kleissner notes on his research and development website, some companies (for example, Google) already use polymorphic code to encrypt proprietary software and algorithms. But is it realistic for the everyday website owner to run a polymorphic appliance? Although Shape Security is currently rolling out seven- and eight-figure enterprise contracts, the next step in their plan is to add cloud-based service, allowing small and midsize companies the same kind of access.

Much like the cloud, ShapeShifter comes packaged with an inherent asset and an inherent flaw: It is disruptive. Polymorphic code relies on methods typically regarded as black hat and forces companies to give up a measure of control over their web data, which means both eager adoption and stinging backlash are likely outcomes. While there’s evidence that this kind of code can work effectively as a safeguard rather than a subversive, time will tell if a great idea — and Google’s backing — is enough to shift the web security landscape.

[image: iStock/ThinkStockPhotos]