Fixing Bugs, But Bypassing the Source Code

shreshtha contributes this snippet from MIT's Technology Review: "Martin Rinard, a professor of computer science at MIT, is unabashed about the ultimate goal of his group's research: 'delivering an immortal, invulnerable program.' In work presented this month at the ACM Symposium on Operating Systems Principles in Big Sky, MT, his group has developed software that can find and fix certain types of software bugs within a matter of minutes." Interestingly, this software doesn't need access to the source code of the target program.

Re:MS will probably kill it

[SnarfQuest]

If MS included this in Windows, you'd never get to see the login screen because the CPU would be so busy fixing bugs.

clearview

[wizardforce]

If the programs that Clearview is monitering/patching are the target, wouldn't it make sense for an attacker to focus on Clearview first? Perhaps even alter its function to serve the purposes of the attacker instead of the user. Why attack the programs it is patching when you could hit Clearview and gain the ability to hijack everything it is patching?

Re:clearview

[BitZtream]

Really ... they know what they are doing? Then why is it called:

Research

If they knew what they were doing it wouldn't really be research would it.

ALL software has bugs. Adding more software to fix bugs ... introduces more bugs.

This doesn't just apply to software, it applies to just about everything, right down to the atoms that make of the universe from our perspective. As far as we can figure, the universe itself will break down to a state that will no longer support life as we know it. Adding more layers of protection falls under the laws of diminishing returns, software, hardware, bridges, cars, or molecules.

Sensationalism ruined it for me

[billcopc]

When a potentially harmful vulnerability is discovered in a piece of software, it takes nearly a month on average for human engineers to come up with a fix and to push the fix out to affected systems

Yes. It takes us 5 seconds to an hour to actually come up with the fix, the remainder of the month is spent in bureaucratic hell - sitting in a trouble ticket queue, sitting in a verification queue, sitting in a QA manager's inbox, sitting with the communications team.

Clearview, if it does what it says on the tin, only addresses the 5 second problem. Any "sane" dev shop would still run the resultant patch through the many cogs and loops of modern software management. You won't get your hole patched any quicker, you'll just have shifted the coders' attention away from your own app's bugs, and onto Clearview's bugs. Net gain: less than zero.

Theoretically and conceptually, it's an interesting tool (you know, like Intercal). It just doesn't really fit in the industry, IMHO.

How about

[raddan]

"Entscheidungsproblem". You'd think a professor of CS at MIT would have heard of it.

Re:How about

[Migala77]

ClearView doesn't have to prove that a program is either correct or incorrect. It only has to detect certain types of bugs, and fix them. There is no guarantee your program is correct after running it.

And personally I can't think of any cases where a buffer overflow is part of a correct program...

Re:How about

[eggnoglatte]

Except that you are making two mistakes:

- the Entscheidungsproblem refers to the problem of finding a general solution that will determine for all possible programs whether or not they are correct. This is an undecidable problem. However, this does NOT mean you can't find a solution for certain subclasses of programs, or a program that finds certain kinds of flaws.

- also, you already know there is an error (otherwise the program wouldn't be triggered), and the type of error (e.g. NULL pointer, array index out of bounds etc.) . That makes much easier again than the general Entscheidungsproblem.

Re:How about

[blueg3]

Your claim to expertise is having read a single popular book, but you can't spot the common error of claiming because a general solution can't exist, no specific solution can exist?

Re:How about

[marciot]

Car analogy - Clearview isn't figuring out whether the whole car is perfect (in the real world it's 100% likely to be imperfect anyway ;) ), all it does is help detect and fix the holes in the exterior.

I ran this program on my car and all was good until I went to fill up the gas tank. Bloody hell, Clearview got rid of the gas tank orifice!

Re:Did they use that tool to develop that tool?

[Wonko+the+Sane]

The fiendish prof announced that he will run that code through itself. Whatever letter grade it spits out will be his thesis grade. He got a D. He begged and cried and threw a hissy fit and wangled a B and scraped through the degree.

Fiendish? What could possibly be more fair and objective than making him eat his own dogfood?

Re:Did they use that tool to develop that tool?

[KillerBob]

Either that or put in an author check that automatically spits out an A+ if it detects that the author of the code was himself....

Re:MS will probably kill it

[Missing_dc]

Me-thinks someone sounds jealous they did not think of it first.