Communications of the ACM
Cramming Software With Thousands of Fake Bugs Could Make It More Secure
It sounds like a joke, but the idea actually makes sense: More bugs, not less, could theoretically make a system safer. Carefully scatter non-exploitable decoy bugs in software, and attackers will waste time and resources on trying to exploit them. The hope is that attackers will get bored, overwhelmed, or run out of time and patience before finding an actual vulnerability.
Computer science researchers at New York University suggest this strategy in "Chaff Bugs: Deterring Attackers by Making Software Buggier," calling the fake-vulnerabilities "chaff bugs."
Brendan Dolan-Gavitt, assistant professor at NYU Tandon and one of the researchers on the study, said his team has been putting bugs into programs for the past few years as a way to test and evaluate different bug-finding systems. Once they had a way to fill a program with bugs, they started to wonder what else they could do with it. "It occurred to me that this was something we might be able to take advantage of," Dolan-Gavitt said. "People who can write exploits are rare, and their time is expensive, so if you can figure out how to waste it you can potentially have a great deterrent effect."
"Our prototype, which is already capable of creating several kinds of non-exploitable bug and injecting them in the thousands into large, real-world software, represents a new type of deceptive defense that wastes skilled attackers' most valuable resource: time," the researchers write.
From Motherboard
View Full Article
No entries found