NYU Researchers Use Decoy Bugs to Bolster Software Security

Code Under Magnifying GlassWhen cyber criminals try to illicitly gain access to software programs, they typically start by looking for bugs that can be exploited to accept malicious inputs. These vulnerabilities act as hidden back doors that allow hackers to harvest user data, launch denial of service attacks and more. But what if hackers had to wade through large volumes of harmless bugs to find real, exploitable vulnerabilities? Could this derail their workflow and serve as an effective attack deterrent?

That’s what a team of cybersecurity researchers at New York University aims to find out.

Earlier this month, the team published a paper called Chaff Bugs: Deterring Attackers by Making Software Buggier. In their paper, the researchers explore the possibility of stuffing software code with decoy bugs that could intentionally mislead flaw-finding scanners and make it much harder for hackers to find exploitable vulnerabilities.

“Our prototype, which is already capable of creating several kinds of non-exploitable bugs and injecting them in the thousands into large, real-world software, represents a new type of deceptive defense that wastes skilled attackers’ most valuable resource: time,” wrote the researchers in their paper. They go on to explain that “by carefully constraining the conditions under which these bugs manifest and the effects they have on the program, we can ensure that chaff bugs are non-exploitable and will only, at worse, crash the program.”

On paper, this seems like a remarkably clever and pragmatic new approach to software security. In practice, however, the researchers still have their work cut out for them. First and foremost, they must find a way to make their chaff bugs indistinguishable from real bugs. Otherwise, hackers could simply modify their flaw-finding software to ignore the decoy bugs and focus on exploitable vulnerabilities instead.

The researchers must also find a way to develop convincing software bugs that remain harmless even after changes are made to the existing code. Ideally, the decoy bugs shouldn’t make it more difficult for developers to make updates to the code in the future. It’s also worth noting that this strategy would not be an effective security solution for open-source software, where anyone can freely access the software’s source code.

This strategy is still in the early stages of its development, but with additional research and extensive testing, decoy bugs could become viable new tools in the fight against hackers.

Written by Beta Breakers

Beta BreakersWith Experience in Quality Assurance & Testing Desktop Software, Mobile Apps, Websites & Web Applications for Nearly 30 Years, Beta Breakers has become the Premier Software Quality Assurance Labs and Application-Testing Provider - Learn More Here

Receive the latest blog posts from Beta Breakers directly in your inbox

* indicates required

Intuit Mailchimp

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.