An innovative new collaboration between EPFL’s HexHive lab and Oracle has developed automated, far-reaching technology in the constant battle between IT security administrators and attackers, hoping to find bugs before hackers. On December 9, 2021, the world of IT security was shocked. The log4j implementation, which is part of the Apache package used by most web servers, has been exploited by hackers without their developers even realizing it, allowing them to take control of servers and data centers around the world.

The Wall Street Journal reported the news that no one wanted to hear: “US officials say hundreds of millions of devices are at risk. Hackers can exploit this vulnerability to steal data, install malware, or take control.”

93% of global cloud services affected

One estimate claimed that the vulnerability affected 93% of enterprise cloud environments. At EPFL, instructions were sent to all IT administrators to fix the server software immediately. Even Oracle Corporation, the world leader in information security, had to issue an emergency call: “Due to the severity of this vulnerability and the release of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by our security alerts as soon as possible.”

The victims of the log4j error were the Belgian Ministry of Defense, the National Health Service of Great Britain and a number of financial trading platforms. So what did companies like Oracle do to prevent similar incidents from happening again?

In fact, Oracle was already working against this type of vulnerability prior to the outbreak, including a collaboration with Professor Mathias Paer from EPFL’s HexHive lab.

“We’ve already looked at similar application analytics and worked on cloud security as part of EPFL’s EcoCloud Center,” Paer said, “but we didn’t come close to these bugs.” Then we started working with Oracle Labs, which provides funding through a giveaway. “Two Oracle researchers, François Gauthier and Konstantin Vorobyov, introduced us to the complex technical challenges they faced, and we worked together to develop a platform to detect such vulnerabilities.”

“For years, people have been trying to find and exploit vulnerabilities in server code, including Oracle’s, either for direct benefit or for monetization by submitting bug reports. In any case, these are manual special attacks. Manual attacks involve the analyst target’s source code. “It analyzes it carefully and then carefully designs the attack. We have developed a mechanism that automates this process and ensures that Oracle stays ahead of attackers.”

Eight moves like a chess master

“Also, the bugs we find can be much more complex than what experts find manually. Most analysts are trained to delve deep into two manipulations. Our platform can look for up to eight deep manipulations,” Paer said.

In the battle between IT security administrators and attackers, defenders hope to find faults before attackers, and security administrators now have a significant advantage in using the HexHive platform. “While our tool is neutral, meaning it can be used by both attackers and defenders, developers have full access to and understanding of their code, which gives them a huge advantage over a hacker when it comes to interpreting results. So they have a very good chance of finding vulnerabilities in front of the attacker. “

Plans are being made to hold an internship for HexHive researchers at Oracle Corporation, which is a win-win for both the company and EPFL. Oracle will have people who develop some of the code in-house, making it easy to integrate the platform into their pipeline. At the same time, the hosting will provide a great experience for EPFL researchers and the HexHive prototype will remain open source with all bug reports released.”

As long as information technology exists, the war between security administrators and hackers will continue. Thanks to the collaboration with HexHive, Oracle can be one step ahead of the attacker: faster, higher, stronger. Source