Several talks at the Black Hat security conference this week in Las Vegas will focus on tools that could make software safer by automatically searching for bugs–and pinpointing the ones that could be most dangerous.
Bug hunting used to be a painstaking process. Researchers found one at a time, figured out what caused it and what dangers it posed, and revealed it, to a software vendor or publicly, so that it could be fixed. But in recent years, popular software has improved, and bugs aren’t so easy to find. On top of that, commercial programs are increasingly large and complex, making it time-consuming to manually search for potential bugs. However, new software tools are helping to automate the process, which may mean programs that work more reliably and are safer for users.
The development of a technique known as “fuzzing” has led to a shift in the way software bugs are discovered. Fuzzing involves repeatedly feeding randomly altered input into a program, causing the program to crash. Those inputs that caused it to crash could reveal an important bug.
Charlie Miller, a security researcher with Baltimore-based Independent Security Evaluators will discuss fuzzing at Black Hat, a conference that brings together researchers from government, academia, industry, and the hacking underground. Miller explains that only some of the crashes caused through fuzzing have major security implications. The work required to identify important crashes is compounded by a new, more intensive approach called “industrial fuzzing.” Researchers are now turning to new tools to help quickly sort through these bugs.
Ben Nagy, a senior security researcher with the Singapore-based COSEINC, is one of the researchers credited with inventing industrial fuzzing. He is developing a tool that could help researchers figure out precisely where a program has gone wrong after a crash occurs. He’s been working with colleagues to mine data on hundreds of thousands of crashes, in search of patterns that can be used to reliably predict the cause of a crash.
Miller will also present a possible solution for analyzing crashes–a platform known as BitBlaze, created by researchers at the University of California, Berkeley, including Dawn Song. BitBlaze is a set of tools that can follow exactly what’s happening within a program, making it easier to analyze the potential security flaws found through industrial fuzzing. Miller says BitBlaze can trace the path of a single byte of information, and track every instruction the program executes and find where it differed from normal function.
Miller used BitBlaze to analyze crashes involving both Adobe Reader and Open Office. Before using the software, he says he spent up to a week analyzing the cause of some software crashes. With BitBlaze, Miller says he can analyze some crashes almost instantly, while others take up to a day.
If industrial fuzzing turns out to work on all types of software, it could change the way companies test to make sure their code functions and is secure, says Vincenzo Iozzo, an engineer for Zynamics, a security company based in Bochum, Germany. Instead of hiring experts to review software by hand, software companies could automate the review process, Iozzo says. However, this simply shifts the problem to analyzing the bugs and figuring out how to fix them. “There is no way to be 100 percent sure that a bug is exploitable or not without human intervention,” he says.
Why China is still obsessed with disinfecting everything
Most public health bodies dealing with covid have long since moved on from the idea of surface transmission. China’s didn’t—and that helps it control the narrative about the disease’s origins and danger.
Anti-aging drugs are being tested as a way to treat covid
Drugs that rejuvenate our immune systems and make us biologically younger could help protect us from the disease’s worst effects.
These materials were meant to revolutionize the solar industry. Why hasn’t it happened?
Perovskites are promising, but real-world conditions have held them back.
A quick guide to the most important AI law you’ve never heard of
The European Union is planning new legislation aimed at curbing the worst harms associated with artificial intelligence.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.