When cyber criminals try to illicitly gain access to software programs, they typically start by looking for bugs that can be exploited to accept malicious inputs. These vulnerabilities act as hidden back doors that allow hackers to harvest user data, launch denial of service attacks and more. But what if hackers had to wade through large volumes of harmless bugs to find real, exploitable vulnerabilities? Could this derail their workflow and serve as an effective attack deterrent?
That’s what a team of cybersecurity researchers at New York University aims to find out.
Earlier this month, the team published a paper called Chaff Bugs: Deterring Attackers by Making Software Buggier. In their paper, the researchers explore the possibility of stuffing software code with decoy bugs that could intentionally mislead flaw-finding scanners and make it much harder for hackers to find exploitable vulnerabilities.
“Our prototype, which is already capable of creating several kinds of non-exploitable bugs and injecting them in the thousands into large, real-world software, represents a new type of deceptive defense that wastes skilled attackers’ most valuable resource: time,” wrote the researchers in their paper. They go on to explain that “by carefully constraining the conditions under which these bugs manifest and the effects they have on the program, we can ensure that chaff bugs are non-exploitable and will only, at worse, crash the program.”
On paper, this seems like a remarkably clever and pragmatic new approach to software security. In practice, however, the researchers still have their work cut out for them. First and foremost, they must find a way to make their chaff bugs indistinguishable from real bugs. Otherwise, hackers could simply modify their flaw-finding software to ignore the decoy bugs and focus on exploitable vulnerabilities instead.
The researchers must also find a way to develop convincing software bugs that remain harmless even after changes are made to the existing code. Ideally, the decoy bugs shouldn’t make it more difficult for developers to make updates to the code in the future. It’s also worth noting that this strategy would not be an effective security solution for open-source software, where anyone can freely access the software’s source code.
This strategy is still in the early stages of its development, but with additional research and extensive testing, decoy bugs could become viable new tools in the fight against hackers.