Buffer Overflow Attacks are the most notorious attacks of all. They are hard to detect and they are everywhere – all the way from WannaCry to Meltdown. As destructive as they are, BROP is also extremely hard to detect as they run in under the noise of just day-to-day life. To provide organizations with a powerful yet lightweight tool to defend against these attacks, Polyverse has created Zerotect. It’s a small open-source agent that monitors kernel logs to look for conclusive proof of memory-based exploits from the side-effects of those attacks. In the latest episode of ‘Linux & Open Source Security’, we invited Polyverse CEO, Alex Gounares to deep dive into Zerotect.
Here is the lightly edited transcript of the discussion:
Swapnil Bhartiya: So let’s start with what exactly is Zerotect, and how does it work?
Alex Gounares: Zerotect is a new open source tool to detect otherwise undetectable memory attacks. In particular, we detect some of the most sophisticated attacks that are being launched today.
Swapnil Bhartiya: When you look at cyberattacks in general, how severe are buffer overflow attacks, in terms of damage, and how pervasive they are?
Alex Gounares: These are some of the toughest attacks out there. If you look at studies from Verizon, IBM’s Ponemon Institute and so forth, the numbers vary in precision, but roughly two-thirds to three-quarters of all successful attacks are memory-based attacks. So these are your WannaCry attacks or Equifax attacks. Your Sony, Target, Home Depot, PBP, System D, Spectres, Meltdowns – these are all forms of memory attack. So it is the most pernicious type of attack out there.
Swapnil Bhartiya: You also maintain a database on vulnerabilities and attacks. Have you seen any increase?
Alex Gounares: As we’ve talked about before, I think we have seen a notable increase in cyber attacks, particularly, in the era of the pandemic. With everybody working from home and putting greater strains on IT systems, we have more people that are connecting in ways that they used to not connect. And that’s creating just a lot more challenges, both for IT and security departments, but commercially is creating a lot of opportunities for attackers.
Swapnil Bhartiya: And how hard is it to detect these buffer overflow attacks?
Alex Gounares: It’s both… Fairly straightforward, I mean, the source code is out there for anybody to read. So you can read the source code and see exactly the algorithms and techniques we use to detect these attacks. So on one hand, it’s not all that complicated, but on the other hand, these are typically attacks that are bypassing all of the traditional cybersecurity defenses, like your firewalls and antivirus.
If you install Zerotect, and it’s a very lightweight agent, there’s no dependencies, it works on pretty much any version of Linux, going back the last 15 years. Because again, it has no dependencies, it’s a very simple install. If Zerotect flags an issue, then A, you can be very confident that it’s an issue, and B, you can also be confident that that attack is bypassing all of your deployed defenses. No matter what you have deployed, once the attacker is actually interacting with the machine, they’ve gotten past your other defenses.
Swapnil Bhartiya: If you just look outside of what you are doing with Zerotect, traditionally how hard it has been for players to detect these attacks. Because, if it was so easy to detect, everybody should be doing it.
Alex Gounares: So before it was very difficult because people were hiding in the noise. This is the basic challenge. And this is what the attackers were doing. They were using very sophisticated algorithms that were tantamount to discovering grains of sand randomly picked in the world. And because of that, we’re at this sort of super-low threshold, very, very lightweight attack algorithms, they basically went undetected as noise, just with normal, random crashes and other hiccups that any system gets.
If you’re running any kind of large scale service, you’re going to have thousands of events an hour anyway, just random stuff happening, servers that need to reboot, running out of memory, running out of disc space. And this is the normal day to day operations of any complex data center. And so these attacks were basically, running in under the noise of just day-to-day life. And that’s what we’re able to now suss out and look for very specific telltale signatures of these memory attacks.
Swapnil Bhartiya: Polyverse keeps coming up with a solution, but why did you create the solution now?
Alex Gounares: We’re very simply responding to market needs. With our technologies, we do a very effective job at stopping these memory attacks. And for our most sophisticated customers, they already had in place the mechanisms needed to understand the nature of the attacks, to do the forensics, to understand that we were actually being effective and so forth.
And as we’ve been expanding out our customer base and going to a broader audience, what we realized very quickly was that the standard commercially available detection tools that your average fortune 500 was using, these detection tools were not detecting the attacks. And so we saw a gap in the market and since we’re not a detection company, we focus on resiliency, we decided to offer this for free, because there’s a lot to detection and reporting, and all the analytics, and auditing, and various other features that a tool like FireEye or Palo Alto has.
So there’s a very rich set of capabilities. There are a lot of players in the market, and it’s very competitive. We didn’t see any new need to reinvent the wheel, but we do want to augment those capabilities. So our standard detection agent and that the Zerotect tool, it plugs into all of the standard SIMs, the Security Incident Monitors that are out there, because it uses just the standard CEF format.