Promoted Questions

This is a short list of our most frequently asked questions. For more information about Polyverse, or if you need support, please contact us.

  • What is Polyverse, and what does Polyverse do?
    Polyverse is a cybersecurity solutions provider which protects clients’ systems with its Polymorphic Linux program. The program randomizes and hardens open-source Linux distributions using Moving-Target Defense technologies that are extraordinarily difficult for attackers to penetrate. Polyverse's Polymorphic Linux automatically protects the full Linux stack, all 10,000+ open source projects on Linux, from Apache to Zsh, Java to Ruby, with no change to your application performance or scale.
  • Where does Polyverse run?
    Polyverse's Polymorphic Linux is available for platforms that are compatible with the following distributions of Linux:
    • Alpine (v3.6 and v3.7)
    • CentOS 6 (currently 6.9) and 7 (currently 7.5)
    • Fedora (versions 23, 24, 25)
    • Ubuntu (16.04)
    Additional support for distributions may be available on a custom engagement basis.
  • How is Polymorphic Linux different from ASLR?
    ASLR focuses on offsetting the relative base address for the program’s memory. This tactic can be defeated by the attacker figuring out the offset, and then adjusting all of their calculations by that value. Our scrambling compiler does not simply offset the base address for the program’s memory, it completely changes the memory footprint of the binary, such as what registers are being used, where functions live, and where return and jump instructions land. This is all done while maintaining semantic equivalence with the original, stock binary, which means that ASLR can also be used on a scrambled binary.

    ASLR is a linear change of address, meaning the attacker only needs to guess one number.

    Polymorphic Linux reorders blocks in memory, as well as functions in memory. Mathematically, the code cannot be reversed into something that can be hijacked.

General Questions

These are questions that we thought would be great to answer. For more information about Polyverse, or if you need support, please contact us.

  • What is the meaning of "Polyverse"?
    "Polyverse" is a term from quantum physics. Specifically, it is a multiverse of multiverses. A multiverse is the idea of parallel universes (see https://en.wikipedia.org/wiki/Multiverse). Particularly, in a polyverse of multiverses, the different universes may have different physics. We chose Polyverse as the name of our company to present the idea of creating extreme diversity from a single starting point.
  • What is Polyverse, and what does Polyverse do?
    Polyverse is a cybersecurity solutions provider which protects clients’ systems with its Polymorphic Linux program. The program randomizes and hardens open-source Linux distributions using Moving-Target Defense technologies that are extraordinarily difficult for attackers to penetrate. Polyverse's Polymorphic Linux automatically protects the full Linux stack, all 10,000+ open source projects on Linux, from Apache to Zsh, Java to Ruby, with no change to your application performance or scale.
  • Where does Polyverse run?
    Polyverse's Polymorphic Linux is available for platforms that are compatible with the following distributions of Linux:
    • Alpine (v3.6 and v3.7)
    • CentOS 6 (currently 6.9) and 7 (currently 7.5)
    • Fedora (versions 23, 24, 25)
    • Ubuntu (16.04)
    Additional support for distributions may be available on a custom engagement basis.
  • Who are your main competitors? / What is this like? / Who else does this?
    Moving Target Defense has been extensively researched in academia for over twenty years and found to be extremely effective. MIT recently published a very thorough survey of the academic work in this area, you can find it here: http://web.mit.edu/br26972/www/pubs/mt_survey.pdf.

    Polyverse is the leading provider of Moving Target Defense technologies--we operate at an unrivaled scale, creating millions of unique versions of Linux daily.
  • Is Polymorphic Linux effective?
    Polyverse has been proven to be 100% effective against memory based cyberattacks, which is about two-thirds of the vulnerabilities patched in 2017.
  • Does Polymorphic Linux break my stuff?
    High-level answer: No. We use a theoretically-sound scrambling methodology that operates at the compiler level; each compilation of the same source code produces different machine code that still operates identically to other builds of the same source code. This is the key reason we require source code during scrambling.

    Low-level answer: Compilation of source code into machine code involves a myriad of decisions by the compiler about which machine instructions to generate in what order and at what locations in memory. A significant number of these decision points have multiple possible answers that have equivalent results and performance. For example, the computation of the sum “a + b + c” can be done in left-to-right, right-to-left and middle-first ordering. All other things being equal, a normal compiler will make an arbitrary and *consistent* choice (say, left-to-right evaluation). In this simple example, our scrambling compiler would instead randomly choose to generate machine code from the palette of six equivalent options (a+b+c, a+c+b, b+a+c, etc.), thus leading to different machine code. A large variety of equivalency decision types are supported by our scrambling compiler and the combination of all of these randomized decisions leads to generated machine code which is different each time it is compiled and is very difficult for attackers to leverage without a priori knowledge of the exact scrambled build being attacked and a considerable amount of effort.
  • Polymorphic Linux is too complex - we don’t want to use compilers and have to compile everything. Is there an easier way?
    Yes! Our Polymorphic Linux product is mainly provided via our scrambled binary repositories. A user can use our installation script to set our repository as their primary repository for their supported Linux distribution. Once they reinstall their packages, or install any new packages, the scrambling is done for them already.
  • Does this give me logs/metrics/data?
    Polymorphic Linux packages are semantically equivalent to the standard, non-scrambled binaries that have been used in the past. Functionality-wise, it’s just Linux.

    Thus, all of the current logging, analytics, and other software and configuration management tools you current use continue to work unmodified. Even better, since Polyverse stops all of the memory based attacks, these failed attacks will show up in standard logging mechanism (e.g. syslog) versus silently succeeding.
  • How do I get started?
    You can get started right away by signing up for a free account here. You will automatically get a free trial of the paid version of Polymorphic Linux for thirty days. This means access to your own private repositories, and one new set of scrambled binaries every twelve hours!
  • Do you have documentation, videos, demos?
    Yes, we do! You can find this information on our resources page. You can also contact us for more information at info@polyverse.io.
  • Can you share an example of a breach that could have been prevented through Moving-Target Defense?
    WannaCry: A well-engineered exploit that took advantage of Windows. The attackers had very detailed knowledge of what data was in what register to corrupt files and manipulate them into ransomware. The attackers no longer have the same detailed knowledge of a system that employs Moving-Target Defense technology.

    StackClash: A Linux attack where the idea behind it was to bypass traditional defenses by causing a program to have the stack join up near the heap. You can have the heap and stack grow up and down where they adjoin each other and making it possible to hop from the stack into the heap. At this point you can bypass traditional ASLR and Stack Guards and directly run attacks using ROP and other gadgets. This attack is especially harsh because it can be performed over the wire. The vulnerability can be exploited by solely sending traffic to a machine. However, like WannaCry, it fundamentally relies on knowing attributes of a target system to exploit. Moving-Target Defense techniques would completely prevent this type of attack.
  • Do we need to recompile to take advantage of Polymorphic Linux?
    No. Simply run the install script and go. The install script merely points your system’s package repository to Polyverse’s package repository.
  • Can pre-compiled binaries be scrambled on Windows?
    In a way, yes: we call it binary-to-binary scrambling. There is a feature of x86 code where certain instructions are only dynamically resolvable (not resolvable unless they are running). Basically, we have to run a JIT compiler to observe things before we can make a correct assertion on them. We cannot look at static x86 code and make a proper assertion on that block, because it could have dynamically executable code, so our compiler has to have a live observer to watch for this.
  • What languages are supported?
    We support all major programming languages, including C/C++, Python, Go, Ruby, NodeJS/Javascript, PHP, and Java.
  • If you do not know the hashes of a binary ahead of time, then how will you be able to verify that the binary has not been modified by a malicious party?
    There are several ways that you can be certain that the binary has not been maliciously modified. One assumption that we will make is that you have configured your nodes to always point to the Polyverse scrambled binary repository.

    1. Each package served through the repository has a hash signature in an index file, so you should always know the hashes ahead of time
    2. Each index file is signed by us, so the chain of trust goes: polyverse key → signed repository index → hashes of packages → download package, verify hash matches
  • How is Polymorphic Linux different from ASLR?
    ASLR focuses on offsetting the relative base address for the program’s memory. This tactic can be defeated by the attacker figuring out the offset, and then adjusting all of their calculations by that value. Our scrambling compiler does not simply offset the base address for the program’s memory, it completely changes the memory footprint of the binary, such as what registers are being used, where functions live, and where return and jump instructions land. This is all done while maintaining semantic equivalence with the original, stock binary, which means that ASLR can also be used on a scrambled binary.

    ASLR is a linear change of address, meaning the attacker only needs to guess one number.

    Polymorphic Linux reorders blocks in memory, as well as functions in memory. Mathematically, the code cannot be reversed into something that can be hijacked.
  • Do you provide modified binaries for ElasticSearch's ELK (elasticsearch, logstash, kibana) stack?
    We do provide scrambled ELK binaries, but currently only as part of a custom deal. Our self-service product which you used is the base OS + a subset of EPEL.
  • Why is this solution is better than existing ones?
    Identify an existing technology that caught, or would have caught, the following bugs:
    • Intel’s Management Engine vulnerability
    • Heartbleed
    • The SystemD buffer overrun flaw
    • WannaCry

    These are real bugs, that affected real people, with real stakes. They made national headlines, and one of them shut down a large part of the healthcare infrastructure in England.

    Existing methodologies did not stop these, nor do they have a clear path to stopping these in the future. Heartbleed existed in OpenSSL for a decade. WannaCry existed since Windows XP; well over 18 years at this point.

    Moving-Target Defense is the only approach that would have mitigated these, stopped their spread, and has a clear, intuitive path to doing so.
  • What if the solution is implemented on an isolated company network? How will the licenses will work? Will there be any offline updates?
    A number of Polyverse customers work on isolated and/or air gapped networks. Since we distribute through the standard package repository mechanisms, existing tools like apt-mirror (Ubuntu) and reposync (CentOS) work well. In short, we typically reuse mechanism is currently used to get patches and so forth to the isolated network, the only change is that Polyverse becomes the upstream root.

    Contact us and we can help get this setup.
  • What do you guys really stop?
    rop gadgets, control flow, changing of control flow --- these lead to buffer overruns, change after free, bad pointers -- basically whatever ASLR should have stopped, we stop to a much higher degree
  • Is it per VM that will use the packages? What about “dev” VMs? Is it only for production VMs that are shipped?
    The core “per node” licensing: a node is 1 virtual machine instance or 1 two-socket physical server.

    Licenses are portable—what matters is the number of active nodes using Polyverse at any given time. It is OK for example for a base VM image to install Polyverse, and then a new instance of that VM is created daily. This is meant to encourage folks to recycle and reset their instances as frequently as possible.

Sign up for our newsletter!