(From left to right, Andrei Homescu, Per Larsen, Stephen Crane, Michael Franz and Immunant’s summer intern, Julian Lettner.)
A tiny computer security company has been working quietly at the Cove to develop ways of protecting mobile systems against hackers. Immunant builds specialized tools for developers. The company’s software transforms the way code is compiled, linked, and loaded by a host operating system. This three-person company’s reputation in the security community belies its actual size. “Our industry is relationship-heavy,” says Stephen Crane, Immunant’s CTO. “We have built up credibility over years of collaborations. This is a premium advantage in a field with a huge amount of snake oil. A lot of companies promise more security than they can deliver on.” Meanwhile, the tools Immunant is developing could improve system security for hundreds of millions of mobile network users by safeguarding the computers that act as the nodes of communications networks from hacking incursions.
Immunant was co-founded by three graduate and post-doctoral researchers at the UCI School of Information and Computer Sciences (ICS); Per Larsen, Andrei Homescu, and Crane. Their advisor, UCI professor of computer science, Michael Franz, also has a stake in the startup.
Immunant is commissioned mostly by large government agencies, including the Defense Advanced Research Projects Agency (DARPA), the National Science Foundation (NSF), and the Air Force Research Laboratories. “The security community is small,” Larsen says. “We had a strong relationship with DARPA. We happened upon other opportunities in the private sector.”
Immunant pursues a niche strategy
Immunant’s founders characterize the company as “hyper-specialized”. They have an unconventional business model. “We give away our software,” Crane says. “A lot of our work product is released to the public as open-source software. Government contracting has been funding a substantial part of the research and development of the tools we have been building.” Immunant’s researchers have published extensively on their security technology. However, any organization seeking to customize the company’s security software to their particular organization will need custom integration.
“Our path out of research and into a startup was extremely gradual,” Larsen recalls. At UCI, the Immunant cofounders developed a security platform and published multiple papers. Meanwhile, Larsen and Franz participated in the National Science Foundation (NSF)-sponsored Innovation Corps (I-Corps™) program, an intensive entrepreneurship boot camp to help academic scientists and engineers commercialize their research. I-Corps participants attend lectures and training, and have to make dozens of calls and meetings with potential customers to gain a clear understanding of the potential market for their inventions. In the course of months of market research, Larsen confirmed the company’s strengths in this niche market.
“We are working on tools for the people who make software, not necessarily for consumers,” Crane says. According to Crane, it is easier to insert these tools when the software is software is being built, rather than having to retrofit it. According to Crane, DARPA and NSF are invested in the long-term success of the research they fund as their role is to foster innovation for public benefit.
Strengthening security for government and R&D customers
Immunant has developed a suite of probabilistic defenses that automatically change the attack surface of an application on every run while preserving peak performance and functionality. “It goes back to the fact that a lot of modern software is buggy and unsafe,” Larsen says. “There is a specific class of attack that modern software is vulnerable to called ‘memory corruption’. An intruder can break in. We pursue a mitigation strategy that presents adversaries with a moving target.”
System security has certain holes because of how computer operating systems evolved. Computers have become smaller, faster and more powerful over the years, but swathes of legacy software are still present in their operating systems. “We are still running code that was written in the 80s,” Crane says. “For example, the code in Firefox descends from Mosaic, the first web browser.” According to Crane, at this point most of the code has been rewritten, but in a piecemeal and partial fashion.
Reshuffling the deck to keep hackers off balance
“Ideally, you want to fix these bugs,” Crane says. “We are putting in an automatic layer that makes it harder for a hacker to know how to exploit.” Since finding and fixing individual bugs is currently very labor-intensive, Immunant is using a concept called fine-grained randomization to reshuffle the program representation inside the computer. Crane uses the analogy of a bookshelf of encyclopedias filled with articles. While the location of the encyclopedias may be randomized, the contents of the encyclopedias are not.
Immunant is going a step further by randomizing the internal structure of the encyclopedias, i.e., the individual articles. “Since a computer uses an index, it doesn’t care where things are,” Crane says. ‘If an attacker wants to use a particular piece of the software, but its placement is randomized every time, the attacker has to locate the relevant piece. This security layer is invisible to the end user, as it does not interfere with speed of processing. We are making it harder to attack, not impossible. Anybody who is selling you security and telling you it is impossible to hack is selling you snake oil.”