A new defensive technique could hold off attackers by making software buggier

A new defensive technique could hold off attackers by making software buggier
Simplified attacker workflow. Attackers find bugs, triage them to determine exploitability, then develop exploits and deploy them to their targets. Credits: Hu, Hu & Dolan-Gavitt.

Researchers at New York University have recently devised a new cyber defense technique, which works by adding so-called "chaff bugs," non-exploitable bugs, rather than eliminating existing ones. A pre-print version of their inventive study was uploaded to ArXiv last week.

Every day, increasingly sophisticated attackers find bugs in computer , evaluate their exploitability, and develop ways of exploiting them. Most existing defense techniques are aimed at eliminating these bugs, limiting them, or adding mitigations that can make exploitation more challenging.

"Our project was based on some earlier work we did in collaboration with MIT Lincoln Lab and Northeastern University on evaluating different strategies for finding bugs in software," Brendan Dolan-Gavitt, one of the researchers who carried out the study, told Tech Xplore. "To do that, we built a system that could put thousands of bugs into a program, so that we could then measure how effective each bug-finding strategy was at detecting our bugs."

After they developed this system, the researchers started considering its possible applications in the context of improving software security. They soon realized that there is a bottleneck in how attackers typically find and exploit bugs in software.

"It takes a lot of time and expertise to figure out which bugs are exploitable and develop a working exploit," Dolan-Gavitt explained. "So we realized that if we could somehow make sure that all the bugs we added were non-exploitable, we could overwhelm attackers, drowning them in a sea of enticing-looking but ultimately harmless bugs."

A new defensive technique could hold off attackers by making software buggier
An overconstrained value bug. By adding constraints along the path leading to the bug, we gradually eliminate unsafe values. Credits: Hu, Hu & Dolan-Gavitt.

Adding huge numbers of bugs that are provably—but not obviously—non-exploitable could confuse attackers, driving them to waste their time and efforts on seeking exploits for these intentionally placed bugs. The researchers called this new method of deterring attackers "chaff bugs."

"Our system, which automatically adds chaff bugs, is intended to be used when developers are building software," Dolan-Gavitt said. "We use two strategies to ensure that the bugs are safe: either by guaranteeing that the can only corrupt data that's not being used by the program, or by making sure that the values the attacker can inject are restricted to ranges that we can determine are safe."

In their recent study, the researchers used these two strategies to add thousands of non-exploitable bugs to real-world software automatically, including web server NGINX and encoder/decoder library libFLAC. They found that the functionality of the software was unharmed, and that the chaff bugs appeared exploitable to current triage tools.

"One of the most interesting findings is that it's possible to construct these non-exploitable bugs automatically, in a way that we can tell they're not exploitable, but it's hard for an attacker to do the same," Dolan-Gavitt said. "It wasn't obvious to us when we started that this would be doable. We also think this approach of applying a sort of economic logic – finding out what attacker resources are scarce and then trying to target them – is a fruitful area to explore in software security."

A new defensive technique could hold off attackers by making software buggier
An unused variable bug. Data flow is added to propagate the “unused” values outside the initial scope, hiding the fact that they are actually unused. Credits: Hu, Hu & Dolan-Gavitt.

While their study gathered promising results, several challenges still need to be overcome for this approach to become practically viable. Most importantly, the researchers need to figure out a way of making these non-exploitable bugs entirely indistinguishable from real bugs.

"Right now, the bugs we add are pretty artificial-looking, so attackers could use this fact to ignore ours when looking for exploitable bugs," Dolan-Gavitt said. "Our main focus at the moment is on finding ways to make the bugs we've added look more like naturally occurring bugs, and then running experiments to show that attackers really are fooled by our chaff bugs."

Explore further

Researchers improve the process of finding vulnerabilities by intentionally adding swarms of bugs to source code

More information: Chaff Bugs: Deterring Attackers by Making Software Buggier, arXiv: 1808.00659v1 [cs.CR]. arxiv.org/abs/1808.00659

Sophisticated attackers find bugs in software, evaluate their exploitability, and then create and launch exploits for bugs found to be exploitable. Most efforts to secure software attempt either to eliminate bugs or to add mitigations that make exploitation more difficult. In this paper, we introduce a new defensive technique called chaff bugs, which instead target the bug discovery and exploit creation stages of this process. Rather than eliminating bugs, we instead add large numbers of bugs that are provably (but not obviously) non-exploitable. Attackers who attempt to find and exploit bugs in software will, with high probability, find an intentionally placed non-exploitable bug and waste precious resources in trying to build a working exploit. We develop two strategies for ensuring non-exploitability and use them to automatically add thousands of non-exploitable bugs to real-world software such as nginx and libFLAC; we show that the functionality of the software is not harmed and demonstrate that our bugs look exploitable to current triage tools. We believe that chaff bugs can serve as an effective deterrent against both human attackers and automated Cyber Reasoning Systems (CRSes).

Journal information: arXiv

© 2018 Tech Xplore

Citation: A new defensive technique could hold off attackers by making software buggier (2018, August 10) retrieved 18 September 2019 from https://techxplore.com/news/2018-08-defensive-technique-software-buggier.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Aug 10, 2018
if I do not want to shake someone's hand, I pretend to sneeze on mine

Aug 10, 2018
Making things shittier, for their own good. We've gone full circle now.

Aug 10, 2018
If I had someone working for me that suggested this they would be looking for another job 5 minutes later. This is utterly stupid. How about the programmers not writing programs with exploitable bugs to start with. It's always worked well for me.

Aug 10, 2018
What an awful idea. Besides the software is already buggy. Now you want to add another bug that you aren't sure won't break your software because of existing bugs? This just simply adds another point of coding that will confuse your coding structure that should be simplified in order to fix bugs and exploits later on in future updates.

Aug 11, 2018
Remember your opinions of this article and the comments you posted. The next article or commentary extolling the benefits of robots, drones, AI (Artificial Stupids?)and how they will bring the Age of Prosperity, Peace and Goodness to our benighted lives.

All that it will cost us? Is all power to programmers. Cause. gosh! Who could we better trust to plan and organize our lives for us?

Than the the incompetent bungling, drunken potheads that wrote the codes directing the behavior of the machines?

I am calling it the Robot-Zombie Apocalypse.

Aug 12, 2018
It's an interesting concept (pretty much like chaff for airplanes), but it could also make life hell for white hat hackers, because now they'll find/report any number of bugs and can never be sure whether the company shortchanged them on the promised compensation.

Hackers also test out their stuff on real systems (either bought or on a small real target where theys undo the damage after the deed is done) before
going live. So I wouldn't be too sure that this actually works.

Particularly if they get hold of the testing procedures for the software (which is a lot easier to do than get a hold of the source code itself) they'll quickly know what is dead code and what isn't.

Aug 22, 2018
I think there is a better approach:
"Computer scientists can prove certain programs to be error-free with the same certainty that mathematicians prove theorems. The advances are being used to secure everything from unmanned drones to the internet."

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more