Trustifier Labs Fahrenheit Langsec-based research efforts considered inherent design flaws in current WAFs as part of a broader research purpose. This research examined the scientific reasons behind why current automatic cyber-defense systems are failing. What do the fundamental principles of computer science say about detecting cyber attacks, or limitations of current approaches? Does understanding these limitations also open doors for new methods for cyber-defense and countermeasure techniques?
The Importance of Langsec
Language-Theoretic security, or Langsec, as it is more commonly referred to, was coined around 2010 by researchers from Dartmouth. Langsec is the study of cyber-security using the first-principles of Automata Theory. (To be explained.) Automata is a field of discrete math that studies computers and the problems that can be solved by them, and possibly even more important, the problems that can never be solved by them.
This doesn’t mean there wasn’t anyone researching fundamental principles of computing science prior to when they came up with the term Langsec. Trustifier KSE research, which would be a subset of Langsec, took place as early as 2006 I believe.
But why is it important? A few years back there came the realization that AV, in particular, and signature based detection technologies in general, traditional foundations of infosec prevention, were failing quite badly. Interest in Langsec started to grow because it offered some explanations. We need to start to apply the “Ask for Evidence” campaign to infosec, verification of performance claims in order to distinguish potential outliers in a market for lemons. Knowledge and understanding of Langsec helps one to know what questions one should ask about technologies.
It also offers some warnings. A Source Boston keynote by infosec big thinker Dan Geer may have served as an introduction to Langsec for some, where he said,
“…as I can guess, nearly nothing we have in our cyber interfaces to critical infrastructure meets LANGSEC’s test. Because of that reason, if no other, attaching the cyber interface of critical infrastructure to the Internet is a guarantee of error.”
Right, anyone think that sounds a little daunting as everyone keeps hooking up Internet of Everything devices, interconnects automobiles and all medical devices to the internet?
WAF Langsec Research
It has also became increasingly recognized that the Web Application Firewall, or WAF, is also problematic in that they are signature-based detection providing imperfect protection. It is somewhat trivial for skilled attackers to bypass WAF protections. Evasion libraries exist. We’re informed by Langsec research that poor WAF detection performance is actually due to violations of some fundamental first principles of computer science, manifesting themselves as design flaws. As a result, WAFs that utilize signature based design attempt to make detection performance promises that are impossible to keep.
Langsec helps us to understand why this is. Trustifier analyzed WAFs from the perspective of first-principles of state-machine automata that make up the web application attack detection engines of today.
The research determined that the current approach to web-Application Security using WAFs is trying to do something that is not possible, because it is an attempt to violate Rice’s Theorem, which is similar to the Halting Problem. The general idea is that the task of attack detection by a system, may be “undecidable” because an inherent design flaw results from the use of signature based detection. This flaw results in a ceiling for Web attack detection rate success, that can’t be surpassed, even with optimized operations. This detection ceiling exists for ALL signature-based detection technologies.
It’s a real problem because this theoretical limit (ceiling) for attack detection is quite a significant figure. We’ll discuss this figure for this detection ceiling later in this series. The impact on detection success for multiple signature based or pattern matching technologies seriously hampers efforts to defend against Web attacks. Thus, Langsec informs us that in order to achieve better Web attack detection outcomes, alternative and innovative designs better than signature based designs are required.
Trustifier Research Goals
Understanding previous design limitations opens doors to new methods for cyber-defense and countermeasure technique. Trustifier Fahrenheit research probes the question of whether web application attacks can be mathematically modelled as a means to achieve significant improvement in Web application attack detection. Further to that, is the question of whether such models can be used to design automated attack detection and preventive defences.
The answer to that is yes. Fahrenheit WAF by Trustifier is a plug and play, zero-configuration WAF, that is able to detect and deny attacks without requiring awareness of the applications, or their possible vulnerabilities that it is protecting. We’re bundling this innovation in many of our offerings. Even better, the implementation and maintenance of Fahrenheit protection has now been automated by TUX AI. Check out the TUX AI quick tour here, and watch the one minute video to see Fahrenheit WAF implemented, automatically.