Skip to main content
close search
site logo
Dive Brief

To make systems safer, put more bugs in them

Published Aug. 8, 2018
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Flickr user Nguyen Hung Vu

Dive Brief:

  • Instead of routinely hunting and killing bugs, new research is proposing the addition of a "chaff bug" in programs to make them safer. By making software "buggier," hackers could be baited and therefore overwhelmed by the number of bugs in a system and eventually give up their search, according to a study by researchers Zhenghao Hu, Yu Hu and Brendan Dolan-Gavitt of New York University.

  • Chaff bugs can be designed as "nonexploitable" when the conditions in how bugs manifest are constrained and controlled, according to the report. Under these conditions, chaff bugs can only crash a system at their worst.

  • To implement them, developers need to take a program they've written that is closed and go through and add a large quantity of chaff bugs. The bugs are real and intentionally detectable, said Dolan-Gavitt, an assistant professor at NYU, in an interview with CIO Dive.

Dive Insight:

Computer languages lacking in "memory safety guarantees," like C and C++, often fall victim of programming errors which lead to memory corruption, according to the research. The resulting bugs can be exploited by bad actors.

Exploiting a bug is a manual and usually time-consuming process. The same is true for detecting potential vulnerable bugs. No matter what progress has been made in automated detection, there's no guarantee that every bug can be discovered.

However, keeping in mind the skills and time needed to successfully exploit a bug is essential for security, according to Dolan-Gavitt. It always "helps to have an economic mindset" for cybersecurity. And this is the central focus of the bug research.

The addition of chaff bugs is to essentially deplete the return on investment for the bad actor because coming across one repeatedly "baffles and confuses the enemy," he said.

But Dolan-Gavitt warns that the research is "not something you want try out for yourself today" because there are still "practical issues" that are awaiting resolve. For example, the chaff bugs look artificial and "hackers would know better."

There has been "valid pushback" from the new research, said Dolan-Gavitt, because it's an idea still in its infancy that needs more exploring. Though it's hard to predict a timeline for when the research can be commercialized, even when it comes to fruition, a minefield of fake bugs could still have a negative impact on "honest" security researchers, he said.

Filed Under: Security, Software

Editors' picks

Company Announcements

View all | Post a press release
New Research Reveals AI's Impact on IT's Power, Status, and Pay
From 1E
November 21, 2024
PointFive is Apparently the Hottest Cloud Startup, Here is Why
From Jordan Mitchell
November 21, 2024
Legion Technologies Partners with Vail Resorts to Expand Workforce Management Across 37 Resort…
From Legion Technologies
November 19, 2024
Viz.ai Wins Prestigious Prix Galien USA Award for Best Digital Health Solution
From Viz.ai
November 12, 2024
Editors' picks
Latest in Security
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell