Should We Add More Bugs to Code to Defeat Cyber Criminals?
Is the concept of adding more bugs to code an idea worth considering or asking for trouble?
The idea of adding more bugs to code to actually enhance its security is a controversial idea.
This idea came up for discussion a few months ago, when researchers from New York University (NYU) released a research paper titled “Chaff Bugs: Deterring Attackers by Making Software Buggier”. In that paper they basically suggested that developers add the right kind of bugs to software: ones that aren’t exploitable and won’t cause crashes, but will show up in automatic scans when cyber criminals are scanning code for real bugs they could potentially exploit.
What’s the point of that?
The rationale of this approach is that if there are a huge number of bugs in the code, black hat bug hunters will have to work hard and spend a lot of time trying to figure out which are the “real”, exploitable bugs. The researchers detail in the paper the work attackers have to do to figure out whether or not a bug is exploitable: a hacker finds the bug, triages it to figure out if it is exploitable, develops and then deploys the exploit.
The aim of what the researchers call “chaff” bugs is to slow down the attackers and frustrate their attempts to carry out an attack. The researchers called these bugs chaff bugs in homage to a strategy deployed by pilots in World War II, who would deploy from their aircraft a cloud of small pieces of aluminum in order to confuse enemy radar and make them harder to detect.
And does it work?
The researchers said they ran the buggy software they had developed through the American Fuzzy Lop fuzzer and that all their chaff bugs registered as either Exploitable or Probably Exploitable, meaning a black hat looking to hunt through their code would have to do a lot of manual work in order to eliminate the false leads in the code. So, in that sense, it did work.
So, is this approach a good idea?
This idea is a controversial approach, and one that some in the security community believe is outdated, and simply a waste of time.
One of the tricky parts of this approach is ensuring that you don’t introduce bugs that end up offering a real exploit to clever attackers. Another issue with this approach is the fact that adding one or two bugs to the code won’t achieve the desired outcome: for this strategy to be effective, hundreds or even thousands of “harmless” bugs would need to be added. Even with automation, this approach would take some time, and it’s arguable that this time would perhaps be better spent cleaning up the code to make it as bug-free as possible. The concept of fake bugs only works as long as the attackers don’t find a fast way of identifying them: once they can identify them, they will be able to ignore them.
However, perfect code is something that is rarely seen, so the idea of obscuring faults with additional harmless bugs may not be totally without merit. Cyber criminals continue to innovate, and bug hunters and cyber protectors need to do likewise, so different ideas to keep our cyber landscape safe are always good to consider.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
