Definition
Runtime protection defends programs during execution:
\text{Running program} \xrightarrow{\text{protection}} \text{Attack blocked}
In SCU terms: Runtime protection monitors and constrains χ-mode execution in real-time—detecting and blocking unauthorized information state transitions as they occur.
Why Runtime Protection?
Pre-deployment security can't catch everything:
| Limitation | Why It Fails |
|---|---|
| Unknown vulnerabilities | Zero-days exist |
| Complex code | Bugs slip through |
| Configuration errors | Deployment mistakes |
| Evolving attacks | New techniques emerge |
Runtime protection adds a final defense layer.
Protection Techniques
| Technique | χ-Mode Protection |
|---|---|
| ASLR | Randomize χ-mode memory layout |
| Stack canaries | Detect χ-mode stack corruption |
| CFI | Verify χ-mode control flow |
| DEP/NX | Prevent data χ-mode execution |
| Memory tagging | Hardware χ-mode bounds |
ASLR (Address Space Layout Randomization)
\text{Address}_{actual} = \text{Address}_{base} + \text{Random offset}
Attackers can't predict χ-mode locations.
Control Flow Integrity
Verify that χ-mode execution follows valid paths:
\text{Call target} \in \text{Valid targets}
Blocks return-oriented programming and similar attacks.
Stack Canaries
\text{Stack: } [buffer][canary][return addr]
If canary is corrupted, detect χ-mode overflow.
Trade-offs
| Benefit | Cost |
|---|---|
| Real-time protection | Performance overhead |
| Defense in depth | Complexity |
| Blocks known attacks | Bypass techniques evolve |
The Key Insight
Runtime protection monitors χ-mode execution.
Defense during operation:
- Programs execute χ-mode sequences
- Protection verifies valid execution
- Attacks cause detectable violations
- Blocking prevents compromise
Runtime protection ensures that even when vulnerabilities exist, attackers can't exploit them—because χ-mode execution is constrained to authorized patterns.