Written by the team at Polyverse, one of our sponsors.
Dealing with cybersecurity beyond the attention-grabbing headlines can challenge your worldview. One quickly realizes that while billions of dollars continue to be invested in identical solutions, there is a dramatic increase in high-profile security breaches with no end in sight. Every week Polyverse puts out a blog on data breaches for that week; needless to say, there is never a lack of content.
Polyscripting
It has been an interesting transition from being a student less than a year ago, to working on and building my own product at a cybersecurity startup. I started at Polyverse in June working on an open-source project that could eradicate code injection attacks. It was my first job in tech and it was hard not to be skeptical when the CEO and CTO described the project as “a way of fixing the internet”. This was reinforced by the number of skeptics I ran into every day. However, once I understood the philosophy and thought behind Polyscripting my skepticism was replaced by excitement. An excitement that is fueled further every few weeks when another exploit, vulnerability, or breach is announced that the solution I am working on would have prevented.
Moving Target Defense
Polyverse employs the philosophy of Moving Target Defense for cybersecurity. By changing our systems to be unique on demand, such that an attacker finds them unfamiliar, we can defend against the attacker by moving what they target. To explain MTD very simply: imagine a hacker builds an exploit that relies on a set of conditions that must be met in order to achieve their malicious intent. Since it is trivial to recreate almost any system in use today, being that they are all identical, the attacker is able to figure out how to exploit these set of conditions at their convenience—after all the target system isn’t changing and they have all the time in the world.
Moving Target Defense breaks that assumption. If the set of conditions are not identical across all systems, and furthermore they are changing frequently, the attacker is thwarted on two fronts: they have no way of recreating the conditions on the target system, and they have a very small window of time in which to exploit it. This eliminates the attack vector as a whole. While guarding against an exploit sounds tempting, it is sometimes impossible to know that a vulnerability even exists at all until it has been tragically exploited.
The “Killer App” of the PHP programming language
WordPress is the most dominant Content Management System on the planet. Its turnkey applicability from entry-level hobbyist blogs to hosting content for the largest corporations, all while being open-source and free, makes WordPress the most popular choice for building websites today. WordPress is the “Killer App” of the PHP programming language. The tight symbiosis between the two, also directly ties it to PHP’s baggage and vulnerabilities. One of the many vulnerabilities that plague PHP (and by extension, WordPress) is code injection and remote code execution attacks. This type of vulnerability is unique in that it can only be fixed by patching the code. Without a fix from PHP or WordPress, it cannot be easily mitigated against by average users.
My project, Polyscripting, aims to stop code injection and remote code execution exploits in PHP once and for all. Although PHP is reliable, fast and relatively easy to learn, it is vulnerable to a comprehensive list of bugs. This is not helped by the vast number of live WordPress websites that are still using legacy (no longer patched/supported) PHP. This tight coupling between PHP and WordPress can often lead to a PHP language vulnerability (of which there are plenty), being synonymously reported as a flaw in WordPress. The two are inseparable.
Polyscripting applies the aforementioned Moving Target Defense philosophy to vulnerable server-side languages like PHP while being entirely open-source and free. It achieves this by changing the language at compile time. This means that the syntax and grammar that the language will understand is completely unique and randomized. Polyscripting gives your site its own unique programming language that is generated on the fly, and thus unknown to any attacker. You can see where this is going – if an attacker does not know the language, they cannot exploit it.
Functionality
Functionally the website works exactly the same. It is written and maintained in PHP, but when the source code gets pushed to production, the language on the server is one that has been generated unique only to that server. The site’s source code is simply transformed to match the new language. The result: a website that no longer understands standard PHP code, yet functions exactly as intended. A malicious actor does not know that, and any attempt to inject and execute PHP code, as they will mistakenly do, will result in a syntax error, rather than a data breach or other unauthorized access. This kills two birds with one stone: The attacker is stopped completely against a vulnerability we don’t yet know exists, and thanks to a syntax error, we now detected the vulnerability! The attack didn’t work, and the hack helped us fix the root cause.
Nothing to sell, Nothing to gain
Polyverse is convinced this methodology is a game changer and is, therefore, building Polyscripting for PHP under a liberal open source license. Polyverse is sponsoring Seattle’s WordCamp 2018 to introduce the benefits of Polyscripting to the WordPress community. Polyverse is a unique sponsor in that we have nothing to sell, nothing to gain, except perhaps spreading the idea of a new way of thinking about Cybersecurity. Polyverse’s mission is to build tools that are simple to use by operators and developers, completely seamless and transparent to end-users and consumers, and actually stop zero-day exploits that are completely unknown.
With Polyscripting enabled, WordPress remains WordPress for the bloggers, content writers and business owners. For those developing on WordPress or providing hosted WordPress, or those hosting WordPress, Polyscripting strives to maintain the exact same flow used today – working transparently. For an attacker attempting to execute code remotely, Polyscripting gets in their way.
To make it even easier to use Polyscripted WordPress, Polyverse has partnered with managed WordPress hosting provider, PressCaptain, with whom we are working to ensure we stay true to our cause of ensuring that usage is simple, maintainable, scalable, and obvious.
Powerful even in its Infancy
Polyscripting is an idea that is powerful even in its infancy, but as more people use and improve it, the project has the potential to solve a significant problem. Code injection is a real problem and despite the numerous existing solutions that claim to prevent these attacks from happening, new vulnerabilities are exploited and remote code execution is still happening consistently. WordPress is the perfect target for these kinds of attacks, being widely used and built with a language known for excessive vulnerabilities. That makes WordPress the perfect use-case for Polyscripting. To read up more check out https://polyverse.io/polyscripting/ or visit the open-source GitHub repos.
https://github.com/polyverse/polyscripted-php
https://github.com/polyverse/ps-WordPress
themes, child themes, plugins, and custom functionality for websites. WordPress makes content updates a breeze for me, my business partner who is not a coder, and our clients that choose to accept the challenge of managing their own content. Of course, I’m a developer, I could write code all day. But time is precious and WordPress makes it so much easier to do really cool and complex things than if I were to hand-code a site. I’ve been using WordPress for about 10 years so I’ve learned many tricks!