A new defensive technique could hold off attackers by making software buggier

[tao]

Researchers at New York University have recently devised a new cyber defense technique, which works by adding so-called "chaff bugs," non-exploitable bugs, rather than eliminating existing ones. A pre-print version of their inventive study was uploaded to ArXiv last week.

 

Every day, increasingly sophisticated attackers find bugs in computer software, evaluate their exploitability, and develop ways of exploiting them. Most existing defense techniques are aimed at eliminating these bugs, limiting them, or adding mitigations that can make exploitation more challenging.

 

"Our project was based on some earlier work we did in collaboration with MIT Lincoln Lab and Northeastern University on evaluating different strategies for finding bugs in software," Brendan Dolan-Gavitt, one of the researchers who carried out the study, told Tech Xplore. "To do that, we built a system that could put thousands of bugs into a program, so that we could then measure how effective each bug-finding strategy was at detecting our bugs."

 

After they developed this system, the researchers started considering its possible applications in the context of improving software security. They soon realized that there is a bottleneck in how attackers typically find and exploit bugs in software.

 

"It takes a lot of time and expertise to figure out which bugs are exploitable and develop a working exploit," Dolan-Gavitt explained. "So we realized that if we could somehow make sure that all the bugs we added were non-exploitable, we could overwhelm attackers, drowning them in a sea of enticing-looking but ultimately harmless bugs."

An overconstrained value bug. By adding constraints along the path leading to the bug, we gradually eliminate unsafe values. Credits: Hu, Hu & Dolan-Gavitt.

Adding huge numbers of bugs that are provably—but not obviously—non-exploitable could confuse attackers, driving them to waste their time and efforts on seeking exploits for these intentionally placed bugs. The researchers called this new method of deterring attackers "chaff bugs."

 

"Our system, which automatically adds chaff bugs, is intended to be used when developers are building software," Dolan-Gavitt said. "We use two strategies to ensure that the bugs are safe: either by guaranteeing that the attacker can only corrupt data that's not being used by the program, or by making sure that the values the attacker can inject are restricted to ranges that we can determine are safe."

 

In their recent study, the researchers used these two strategies to add thousands of non-exploitable bugs to real-world software automatically, including web server NGINX and encoder/decoder library libFLAC. They found that the functionality of the software was unharmed, and that the chaff bugs appeared exploitable to current triage tools.

 

"One of the most interesting findings is that it's possible to construct these non-exploitable bugs automatically, in a way that we can tell they're not exploitable, but it's hard for an attacker to do the same," Dolan-Gavitt said. "It wasn't obvious to us when we started that this would be doable. We also think this approach of applying a sort of economic logic – finding out what attacker resources are scarce and then trying to target them – is a fruitful area to explore in software security."

An unused variable bug. Data flow is added to propagate the “unused” values outside the initial scope, hiding the fact that they are actually unused. Credits: Hu, Hu & Dolan-Gavitt.

While their study gathered promising results, several challenges still need to be overcome for this approach to become practically viable. Most importantly, the researchers need to figure out a way of making these non-exploitable bugs entirely indistinguishable from real bugs.

 

"Right now, the bugs we add are pretty artificial-looking, so attackers could use this fact to ignore ours when looking for exploitable bugs," Dolan-Gavitt said. "Our main focus at the moment is on finding ways to make the bugs we've added look more like naturally occurring bugs, and then running experiments to show that attackers really are fooled by our chaff bugs."

 

< Here >

[luisam]

20 minutes ago, tao said:

Adding huge numbers of bugs that are provably—but not obviously—non-exploitable could confuse attackers, driving them to waste their time and efforts on seeking exploits for these intentionally placed bugs.

 

Just a stupid question from someone who is not in the computer software developing business: Wouldn't be more logical design software CAREFULLY, so that it should not contain ANY bug? Maybe stopping a senseless race to release more and more new versions with more and more dubiously useful untested features and starting a race of quality!

[steven36]

if they make software more buggy than it already is i will just stop updating . it's quite a few times i reverted back to old version because of bugs and it's the reason i still use windows 8.1 . Bugs is bad for business that why Android already have more users now . Android devices are cheap  and not much trouble . 50% less malware infections than windows . Who wants to go out and pay a arm and a leg for a PC with buggy software installed on it from the vendor?  That's why most PCs on the internet are older only people addicted to play games and the rich  do a upgrade or buy new pcs every few years.

[Karlston]

5 hours ago, luisam said:

Wouldn't be more logical design software CAREFULLY, so that it should not contain ANY bug?

 

A noble idea, but except for simple software, bug-free software is virtually impossible. Humans are not perfect, as much as Microsoft we like to think so.

 

The best that can be done is to minimise bugs and their severity.

[straycat19]

An absolute tried and true method of securing any computer:

 

1.  Build a faraday cage large enough to hold all computer components.

2.  Build a large concrete structure with 1 foot thick floor, walls, and ceiling. (No windows, doors, or electrical receptacles allowed)

3.  Set faraday cage/computer in concrete structure and then put on ceiling.

4.  Use an epoxy compound to seal all seams.

5.  Computer is now secure.

[BimBamSmash]

It is interesting on paper, but the message it signals is an attempt to justify the every increasing trend of sloppy coding. I say insistence on regular upgrades and overhauls causes more problems than anything else.