DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
What's in store for DevOps in 2023? Hear from the experts in our "DZone 2023 Preview: DevOps Edition" on Fri, Jan 27!
Save your seat
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Layout Randomization (NSLR) Makes Java-Based Code Injection Vulnerabilities Impossible to Exploit

Layout Randomization (NSLR) Makes Java-Based Code Injection Vulnerabilities Impossible to Exploit

New security innovation fully protects against highly exploited application weakness.

Tom Smith user avatar by
Tom Smith
CORE ·
Feb. 13, 17 · News
Like (1)
Save
Tweet
Share
3.56K Views

Join the DZone community and get the full member experience.

Join For Free

It was great talking to John Matthew Holt, CTO and James E. Lee, E.V.P. and CMO at Waratek, a virtualization-based application security company, about their new application security technique called Name Space Layout Randomization (NSLR) that neutralizes code injection attacks. Waratek NSLR shares some principles used in Address Space Layout Randomization (ASLR), a memory-protection process for operating systems. The Waratek Application Security Platform now ships standard with NSLR protection built-in.

According to the 2016 Verizon Data Breach Investigation Report, web application attacks are the top source of data breaches today. To be successful, a code injection exploit needs to know the exact names of classes and packages that must be invoked. By randomizing Java class packages, Waratek NSLR prevents any code injection exploit from finding its targets.

At the same time, it offloads security from developers into the runtime providing accurate, reliable security automatically with no false positives and no false negatives. Once it's launched into the plarform, all code changes are monitored for security with no affect on latency or performance.

Security is a fundamentally complext issue. With more than 1,000 vulnerabilities, taking the responsibility off the shoulders of developers gives them the freedom to think about the code they are developing and the business problem they are working to solve. Security is so insecure, we are at a crisis point which requires an automated solution like Waratek.

“Current approaches for protecting against known code injection attacks involve applying a patch, fixing the vulnerability or disabling the flawed functionality, if possible. Alternatively, web application firewalls can mitigate some threats, but are often plagued by false positives,” said John Matthew Holt, CTO of Waratek. “Waratek NSLR provides absolute protection against both known and unknown code injection vulnerabilities with zero false positives, and does not require making any changes to the application. It is a logical extension of the application protection capabilities we already provide using virtualization.”

Waratek NSLR hardens the Java Virtual Machine by randomizing the JDK namespace, which prevents code injections from executing regardless of the vulnerability (known or zero-day) that is being exploited. This innovation was made possible by Waratek’s virtualization-based implementation in an application’s runtime.

For example, with Waratek NSLR enabled, the java.lang.System class will be randomized and renamed. Therefore, any exploit that attempts to invoke java.lang.System will fail, since it will not know the new randomized package name. Since Waratek NSLR generates a unique package name every time the JVM boots, it is impossible for exploit code developers to guess the new names.

The randomized host package names are transparent to the guest applications and cannot be viewed or accessed from the Java Virtual Container (JVC) created by the Waratek Application Security Platform. In addition, Waratek NSLR prevents brute force attacks by using 96-bit to 1024-bit names, which would likely require several thousands of years to crack. Finally, Waratek NSLR identifies when a code injection attack is attempted and logs the details as a security event.

Waratek NSLR is now available internationally with the latest version of the Waratek application security platform.

Injection Application security Vulnerability Web application

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • What Java Version Are You Running? Let’s Take a Look Under the Hood of the JDK!
  • Distributed SQL: An Alternative to Database Sharding
  • Using QuestDB to Collect Infrastructure Metrics
  • PostgreSQL: Bulk Loading Data With Node.js and Sequelize

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: