Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Intelligent Machines

So Many Bugs, So Little Time

Tools that find serious bugs automatically could lead to safer, more stable software.

Several talks at the Black Hat security conference this week in Las Vegas will focus on tools that could make software safer by automatically searching for bugs–and pinpointing the ones that could be most dangerous.

Bug hunting used to be a painstaking process. Researchers found one at a time, figured out what caused it and what dangers it posed, and revealed it, to a software vendor or publicly, so that it could be fixed. But in recent years, popular software has improved, and bugs aren’t so easy to find. On top of that, commercial programs are increasingly large and complex, making it time-consuming to manually search for potential bugs. However, new software tools are helping to automate the process, which may mean programs that work more reliably and are safer for users.

The development of a technique known as “fuzzing” has led to a shift in the way software bugs are discovered. Fuzzing involves repeatedly feeding randomly altered input into a program, causing the program to crash. Those inputs that caused it to crash could reveal an important bug.

Charlie Miller, a security researcher with Baltimore-based Independent Security Evaluators will discuss fuzzing at Black Hat, a conference that brings together researchers from government, academia, industry, and the hacking underground. Miller explains that only some of the crashes caused through fuzzing have major security implications. The work required to identify important crashes is compounded by a new, more intensive approach called “industrial fuzzing.” Researchers are now turning to new tools to help quickly sort through these bugs.

Ben Nagy, a senior security researcher with the Singapore-based COSEINC, is one of the researchers credited with inventing industrial fuzzing. He is developing a tool that could help researchers figure out precisely where a program has gone wrong after a crash occurs. He’s been working with colleagues to mine data on hundreds of thousands of crashes, in search of patterns that can be used to reliably predict the cause of a crash.

Miller will also present a possible solution for analyzing crashes–a platform known as BitBlaze, created by researchers at the University of California, Berkeley, including Dawn Song. BitBlaze is a set of tools that can follow exactly what’s happening within a program, making it easier to analyze the potential security flaws found through industrial fuzzing. Miller says BitBlaze can trace the path of a single byte of information, and track every instruction the program executes and find where it differed from normal function.

Miller used BitBlaze to analyze crashes involving both Adobe Reader and Open Office. Before using the software, he says he spent up to a week analyzing the cause of some software crashes. With BitBlaze, Miller says he can analyze some crashes almost instantly, while others take up to a day.

If industrial fuzzing turns out to work on all types of software, it could change the way companies test to make sure their code functions and is secure, says Vincenzo Iozzo, an engineer for Zynamics, a security company based in Bochum, Germany. Instead of hiring experts to review software by hand, software companies could automate the review process, Iozzo says. However, this simply shifts the problem to analyzing the bugs and figuring out how to fix them. “There is no way to be 100 percent sure that a bug is exploitable or not without human intervention,” he says.

Couldn't get to Cambridge? We brought EmTech MIT to you!

Watch session videos here
More from Intelligent Machines

Artificial intelligence and robots are transforming how we work and live.

Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Print Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.