So Many Bugs, So Little Time
Several talks at the Black Hat security conference this week in Las Vegas will focus on tools that could make software safer by automatically searching for bugs–and pinpointing the ones that could be most dangerous.
Bug hunting used to be a painstaking process. Researchers found one at a time, figured out what caused it and what dangers it posed, and revealed it, to a software vendor or publicly, so that it could be fixed. But in recent years, popular software has improved, and bugs aren’t so easy to find. On top of that, commercial programs are increasingly large and complex, making it time-consuming to manually search for potential bugs. However, new software tools are helping to automate the process, which may mean programs that work more reliably and are safer for users.
The development of a technique known as “fuzzing” has led to a shift in the way software bugs are discovered. Fuzzing involves repeatedly feeding randomly altered input into a program, causing the program to crash. Those inputs that caused it to crash could reveal an important bug.
Charlie Miller, a security researcher with Baltimore-based Independent Security Evaluators will discuss fuzzing at Black Hat, a conference that brings together researchers from government, academia, industry, and the hacking underground. Miller explains that only some of the crashes caused through fuzzing have major security implications. The work required to identify important crashes is compounded by a new, more intensive approach called “industrial fuzzing.” Researchers are now turning to new tools to help quickly sort through these bugs.
Ben Nagy, a senior security researcher with the Singapore-based COSEINC, is one of the researchers credited with inventing industrial fuzzing. He is developing a tool that could help researchers figure out precisely where a program has gone wrong after a crash occurs. He’s been working with colleagues to mine data on hundreds of thousands of crashes, in search of patterns that can be used to reliably predict the cause of a crash.
Miller will also present a possible solution for analyzing crashes–a platform known as BitBlaze, created by researchers at the University of California, Berkeley, including Dawn Song. BitBlaze is a set of tools that can follow exactly what’s happening within a program, making it easier to analyze the potential security flaws found through industrial fuzzing. Miller says BitBlaze can trace the path of a single byte of information, and track every instruction the program executes and find where it differed from normal function.
Miller used BitBlaze to analyze crashes involving both Adobe Reader and Open Office. Before using the software, he says he spent up to a week analyzing the cause of some software crashes. With BitBlaze, Miller says he can analyze some crashes almost instantly, while others take up to a day.
If industrial fuzzing turns out to work on all types of software, it could change the way companies test to make sure their code functions and is secure, says Vincenzo Iozzo, an engineer for Zynamics, a security company based in Bochum, Germany. Instead of hiring experts to review software by hand, software companies could automate the review process, Iozzo says. However, this simply shifts the problem to analyzing the bugs and figuring out how to fix them. “There is no way to be 100 percent sure that a bug is exploitable or not without human intervention,” he says.
Geoffrey Hinton tells us why he’s now scared of the tech he helped build
“I have suddenly switched my views on whether these things are going to be more intelligent than us.”
Meet the people who use Notion to plan their whole lives
The workplace tool’s appeal extends far beyond organizing work projects. Many users find it’s just as useful for managing their free time.
Learning to code isn’t enough
Historically, learn-to-code efforts have provided opportunities for the few, but new efforts are aiming to be inclusive.
Deep learning pioneer Geoffrey Hinton has quit Google
Hinton will be speaking at EmTech Digital on Wednesday.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.