Interesting paper: "Chaff bugs"

In summary, this paper introduces a new defensive technique called chaff bugs, which instead target the bug discovery and exploit creation stages of this process. Rather than eliminating bugs, we instead add large numbers of bugs that are provably (but not obviously) non-exploitable. Attackers who attempt to find and exploit bugs in software will, with high probability, find an intentionally placed non-exploitable bug and waste precious resources in trying to build a working exploit.
  • #1
jim mcnamara
Mentor
4,770
3,817
https://arxiv.org/abs/1808.00659
Popular version: https://techxplore.com/news/2018-08-defensive-technique-software-buggier.html

The basic idea here is to create a large number of non-exploitable bugs, then add them to existing code. Do not worry as much about remediating existing bugs.

The "bad guys" have a greatly reduced chance of finding and exploiting a real bug because they keep finding chaff bugs instead. Wasting resources. The most time consuming task facing intruders is locating bugs to exploit. Analogy: It is like having a tub of cubic zirconium "diamonds" with one or two real ones mixed in. Finding the real diamonds takes a large amount of time. Cubic zirconium fakes can be detected but takes some time. If it becomes sufficiently tedious it may not be worth the huge amount of time spent.

Abstract:
Sophisticated attackers find bugs in software, evaluate their exploitability, and then create and launch exploits for bugs found to be exploitable. Most efforts to secure software attempt either to eliminate bugs or to add mitigations that make exploitation more difficult. In this paper, we introduce a new defensive technique called chaff bugs, which instead target the bug discovery and exploit creation stages of this process. Rather than eliminating bugs, we instead add large numbers of bugs that are provably (but not obviously) non-exploitable. Attackers who attempt to find and exploit bugs in software will, with high probability, find an intentionally placed non-exploitable bug and waste precious resources in trying to build a working exploit. We develop two strategies for ensuring non-exploitability and use them to automatically add thousands of non-exploitable bugs to real-world software such as nginx and libFLAC; we show that the functionality of the software is not harmed and demonstrate that our bugs look exploitable to current triage tools. We believe that chaff bugs can serve as an effective deterrent against both human attackers and automated Cyber Reasoning Systems (CRSes).

The red-highlighted phrase seems to me to be the hard part. Disguising the fake bugs. If all of the fake bugs are similar somehow then one can write algorithms to find and then mark the fakes as fake.
 
Last edited:
Technology news on Phys.org
  • #2
I see. Pretty clever. Good name too: chaff.

But I'm skeptical if it would really work unless the benign bugs were very cleverly designed. Clever design means taking design effort away from the legit purposes of the code. I can't see management ever approving that.
 
  • #3
I think it’s too early to say here that it can be defeated so easily and it’s too early to say if it will even work. I am reminded of all the “junk” dna we carry which might come back into play at some time in the future.

If the hacker had access to the source then this would be harder to hide as someone would inevitably leave a helpful comment. However, if this is inserted into the binary executable with blocks of junk code then it could make reengineering more difficult. If we could also insert code that makes it difficult for a debugger to follow then that too would make it more difficult to figure out. The downfall of course is the allgorithm doing the insertion. It would give hackers a key to figuring out what code to ignore in the obfuscate binary.
 
  • Like
Likes Nik_2213
  • #4
jim mcnamara said:
The basic idea here is to create a large number of non-exploitable bugs, then add them to existing code. Do not worry as much about remediating existing bugs.

Microsoft has been trying this strategy for years. :wink:
 
  • Like
Likes Nik_2213, Dr. Courtney and anorlunda
  • #5
@Vanadium 50 - do you have some kind of link for that? You would think the researchers could have been aware of it.
 
  • #6
jim mcnamara said:
@Vanadium 50 - do you have some kind of link for that? You would think the researchers could have been aware of it.

No no. V50's post was sarcasm.
 
  • #7
Well, duh...
 
  • #8
I see it a little bit problematic that unfortunately the bug-hunt of end-products are often made by security specialists not related to the owner of the code. Their work also will get harder, no?
For me this idea quite sounds like a big rug to cover up the real issue instead of addressing it.
 
  • #9
Maybe this is why some programmers use "foo" for an arbitrary character string:
Name: Tom Foo Lery
Occupation: bug coder
 
  • #10
anorlunda said:
No no. V50's post was sarcasm.
If the response to bugs is to throw more programmers at the project, then those programmers will probably measure their productivity in lines of code written per month. That will increase the total number of bugs in the project code base.
Very rarely will you find an analyst who can work out how to partition the project into testable chunks, then find and fix the bugs.
Read "The Mythical Man Month" by Frederick Brooks.
https://archive.org/details/mythicalmanmonth00fred
 
  • #11
Baluncore said:
Read "The Mythical Man Month" by Frederick Brooks.
https://archive.org/details/mythicalmanmonth00fred

I loved that book. Haven't heard it mentioned in years.
 

Related to Interesting paper: "Chaff bugs"

1. What is the topic of the paper?

The topic of the paper is "Chaff bugs", which refers to a type of insect that feeds on the chaff or debris found in stored grains or cereals.

2. What is the purpose of the paper?

The purpose of the paper is to provide a comprehensive study on the behavior, ecology, and potential impact of chaff bugs on crops and stored grains.

3. What methods were used in the study?

The study utilizes a combination of field observations, laboratory experiments, and statistical analyses to examine the behavior and ecology of chaff bugs.

4. What are the key findings of the paper?

The paper presents several key findings, including the identification of chaff bugs as a potential pest for stored grains, their preferred feeding habits and breeding patterns, and potential control methods.

5. How can this paper be applied in real-world situations?

This paper can be applied in real-world situations by providing valuable information for farmers, pest control professionals, and researchers on how to better manage chaff bug populations and minimize their impact on crops and stored grains.

Similar threads

Lessons From the Millennium Bug
    • Computing and Technology
Replies
25
Views
3K
Is Science Vulnerable to Software Bugs?
    • Computing and Technology
Replies
2
Views
2K
Current and Future AI Threats to Humanity and the Human Response
    • Computing and Technology
Replies
10
Views
2K
Shouldn't computer math black boxes be shunned?
    • MATLAB, Maple, Mathematica, LaTeX
Replies
17
Views
2K
Math possibly in need of all-open-source software for testin
    • MATLAB, Maple, Mathematica, LaTeX
Replies
12
Views
1K
I could really use some help picking my optional module [GameDev]
    • STEM Academic Advising
Replies
2
Views
979
Requesting suggestions for languages, libraries, and architectures for parallel (and sometimes non parallel) numerical and scientific computations
    • Programming and Computer Science
Replies
8
Views
2K
Nuclear waste and depleted uranium research paper (No math)
    • Introductory Physics Homework Help
Replies
10
Views
2K
An interesting new paper on f(X) gravity
    • Beyond the Standard Models
Replies
1
Views
2K
A Probability via Expectation and Callen's criterion
    • Quantum Interpretations and Foundations
Replies
14
Views
2K

Hot Threads

Recent Insights

Back
Top