THE PROBLEM: Sophisticated, large-scale cyberattacks have become widespread in recent years, costing the United States $220 billion in 2022 alone. Cybercriminals steal sensitive information to commit fraud and identity theft, compromise financial assets, and gain unauthorized access to other restricted and mission-critical systems. Such information-leakage attacks are particularly concerning on Linux-based operating systems, which run on a majority of the world’s Internet servers, Android phones, cloud platforms, and supercomputers. The code is mapped similarly in all Linux-based systems, meaning once attackers break into one system, they could easily compromise millions more. The homogenous internals of such Linux-based systems create an economy of scale for attackers: once they devise an attack against a Linux-based application, the attack can often compromise millions of computers.
THE SOLUTION: Timely Address Space Randomization (TASR) protects Linux-based systems against these large-scale cyberattacks by scrambling, or re-randomizing, the location of code in memory. Whereas similar preceding technologies perform one-time randomization and leave systems vulnerable afterward, TASR continuously re-randomizes memory to hinder attacks. Whenever the system sends data out (output), TASR automatically scrambles the memory before that system processes any request (input), making any potentially leaked data from the output stale to an attacker before they have a chance to act on the information. This randomization technology is the first to mitigate the impact of information-leakage attacks regardless of the attacker’s access point or the system’s vulnerability.
THE TECH TRANSFER MECHANISM: The MIT LL research team developed TASR under sponsorship by the National Security Agency (NSA) over three years, resulting in a research prototype and a patent. In 2020, TASR was selected for the competitive Department of Homeland Security (DHS) Commercialization Accelerator Program (CAP), which provides funding for technology maturation and commercialization. From 2019 to 2021, the MIT Technology Licensing Office helped transfer TASR to a number of interested commercial partners.
THE TECH TRANSFER EXCELLENCE: After nearly a decade of development, maturation and transfer, this T2 effort filled a high-priority gap in cybersecurity. Throughout the process, funding support was crucial. The early stages of research and development were funded by the NSA. Later, funding from DHS CAP enabled the MIT LL team to mature TASR and position the technology for commercialization.
THE OUTCOMES: TASR has been transitioned to the government, and discussions with commercial entities for “productizing” are planned. In 2022, TASR won the prestigious R&D 100 Award, which recognizes the year's 100 most innovative new products.
Click on any images below to view larger versions and photo captions.