Shape-shifting software 'defends against botnet hacks'

Man using laptop Shape Security says its product makes it harder to carry out automated attacks

Related Stories

A technology that constantly changes websites' code to defeat hackers has been unveiled by a US start-up.

Shape Security says its product works with the HTML, JavaScript and CSS languages, transforming a site's code into a "moving target" to prevent cybercriminals from carrying out scripted attacks.

The Silicon Valley firm has several high-profile backers including Google.

But one expert said hackers might still be able to work round the defence.

However, Ron Austin - a senior lecturer on computer security at Birmingham City University - said that it would probably take them longer than previously.

Shape says the "look and feel" of the sites that use its tech remains unchanged to legitimate visitors.

It adds that several companies have already trialled its product, including Citigroup bank and the ticket seller StubHub.

Morphing code

Shape describes its product as a being a "botwall" - a reference to it being a barrier against automated software tools known as bots that recognise and exploit vulnerabilities in a site's code.

ShapeShifter graphic ShapeShifter aims to alter how code is expressed without affecting its functionality. In this example, a login form has certain attributes replaced with random strings, with new code generated for each page request. The firm says this is a "simplified example" created to illustrate one of the polymorphic techniques it uses, and that the real output would be different

These can be used for malicious purposes, such as carrying out DDoS (distributed denial of service) attacks - forcing a website server to crash by flooding it with traffic - or to hijack a site, allowing the hacker to modify its contents, steal private details and spread malware.

Many products try to prevent such breaches by identifying bots by their signatures - the name they use when registering themselves - and the internet and email addresses they send data to.

Hackers have tried to counter detection by using a technique called "real-time polymorphism" - making their bots rewrite their own code every time they infect a new machine to make them harder to recognise.

Shape says its product reverses this advantage.

"The website looks and feels exactly the same to legitimate users, but the underlying site code is different on every page view," wrote the firm's founder, Sumit Agarwal, on its blog.

"Ultimately, the ShapeShifter aims to stop non-human visitors from executing large-scale automated attacks. This may help break the economics of breaches like the one Target experienced in late 2013, by eliminating the monetisation path.

"Without automated scripts, many of today's attacks cease to be economically viable."

'Additional tool'

Shape had raised $26m (£15.7m) from investors ahead of its product's launch.

ShapeShifter boxes Shape says several firms have been secretly testing its equipment ahead of the launch

Backers include:

  • Google Ventures, the search firm's venture capital fund
  • Google chairman Eric Schmidt's personal investment company TomorrowVentures
  • Kleiner Perkins Caufield & Byers, an early investor in Amazon and Facebook
  • Enrique Salem, the former chief executive of security firm Symantec

One security expert from the University of Oxford's Internet Institute said the innovation sounded promising.

"It's an interesting additional tool for making it harder for attackers to break into systems, and one that can't be trivially circumvented by attackers changing their behaviour," Dr Ian Brown told the BBC.

But Ron Austin added that given enough time, a dedicated hacker should still be able to achieve their goal.

"The caveat to this approach would be looking for parts of the polymorphic code within the software that does not change," he explained.

"This would then give the attacker a point of reference into the system and possibly allow a new attack to be created. This is difficult and would take time as the attacker would have to monitor the software."

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

  • Hands holding goldGold rush Watch

    Recession drives new wave of prospectors into the wild


  • Chris and Regina Catrambone with their daughter Maria LuisaSOS

    The millionaires who rescue people at sea


  • Boy with rifleYoung guns

    The Americans who arm their children


  • woman painting nailsDate rape debate

    Backlash over nail polish designed to detect drug


BBC Future

(Thinkstock)

How a fish inspired a supercar

Sailfish secrets take to the road Read more...

Programmes

  • A map of social media interactionsClick Watch

    Twitter's map of the Middle East conflict – how the two sides react to each other on social media

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.