So Many Bugs, So Little Time

Several talks at the Black Hat security conference this week in Las Vegas will focus on tools that could make software safer by automatically searching for bugs–and pinpointing the ones that could be most dangerous.

Bug hunting used to be a painstaking process. Researchers found one at a time, figured out what caused it and what dangers it posed, and revealed it, to a software vendor or publicly, so that it could be fixed. But in recent years, popular software has improved, and bugs aren’t so easy to find. On top of that, commercial programs are increasingly large and complex, making it time-consuming to manually search for potential bugs. However, new software tools are helping to automate the process, which may mean programs that work more reliably and are safer for users.

The development of a technique known as “fuzzing” has led to a shift in the way software bugs are discovered. Fuzzing involves repeatedly feeding randomly altered input into a program, causing the program to crash. Those inputs that caused it to crash could reveal an important bug.

Charlie Miller, a security researcher with Baltimore-based Independent Security Evaluators will discuss fuzzing at Black Hat, a conference that brings together researchers from government, academia, industry, and the hacking underground. Miller explains that only some of the crashes caused through fuzzing have major security implications. The work required to identify important crashes is compounded by a new, more intensive approach called “industrial fuzzing.” Researchers are now turning to new tools to help quickly sort through these bugs.

Ben Nagy, a senior security researcher with the Singapore-based COSEINC, is one of the researchers credited with inventing industrial fuzzing. He is developing a tool that could help researchers figure out precisely where a program has gone wrong after a crash occurs. He’s been working with colleagues to mine data on hundreds of thousands of crashes, in search of patterns that can be used to reliably predict the cause of a crash.

Miller will also present a possible solution for analyzing crashes–a platform known as BitBlaze, created by researchers at the University of California, Berkeley, including Dawn Song. BitBlaze is a set of tools that can follow exactly what’s happening within a program, making it easier to analyze the potential security flaws found through industrial fuzzing. Miller says BitBlaze can trace the path of a single byte of information, and track every instruction the program executes and find where it differed from normal function.

Miller used BitBlaze to analyze crashes involving both Adobe Reader and Open Office. Before using the software, he says he spent up to a week analyzing the cause of some software crashes. With BitBlaze, Miller says he can analyze some crashes almost instantly, while others take up to a day.

If industrial fuzzing turns out to work on all types of software, it could change the way companies test to make sure their code functions and is secure, says Vincenzo Iozzo, an engineer for Zynamics, a security company based in Bochum, Germany. Instead of hiring experts to review software by hand, software companies could automate the review process, Iozzo says. However, this simply shifts the problem to analyzing the bugs and figuring out how to fix them. “There is no way to be 100 percent sure that a bug is exploitable or not without human intervention,” he says.