Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fixing Bugs, But Bypassing the Source Code

Posted by timothy on from the wrapping-puzzles-in-enigmas dept.

shreshtha contributes this snippet from MIT's Technology Review: "Martin Rinard, a professor of computer science at MIT, is unabashed about the ultimate goal of his group's research: 'delivering an immortal, invulnerable program.' In work presented this month at the ACM Symposium on Operating Systems Principles in Big Sky, MT, his group has developed software that can find and fix certain types of software bugs within a matter of minutes." Interestingly, this software doesn't need access to the source code of the target program.

11 of 234 comments (clear)

  1. Who will police the police? by ashanin · · Score: 2, Interesting

    Who will fix the bugs in the ClearView program?

  2. Did they use that tool to develop that tool? by 140Mandak262Jamuna · · Score: 5, Interesting
    My friend developed an automatic code quality estimation program for his masters thesis. It will basically find average the number of lines per function, ratio of code to comment, and other such metrics and give a letter grade to the code. The fiendish prof announced that he will run that code through itself. Whatever letter grade it spits out will be his thesis grade. He got a D. He begged and cried and threw a hissy fit and wangled a B and scraped through the degree.

    I wonder if we should turn that software loose on itself and see what it finds.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  3. Obviously Linux developers aren't human ;-) by Zero__Kelvin · · Score: 2, Interesting

    "When a potentially harmful vulnerability is discovered in a piece of software, it takes nearly a month on average for human engineers to come up with a fix and to push the fix out to affected systems, according to a report issued by security company Symantec in 2006."

    This is absolutely correct, so long as one assumes that Windows systems are the only systems, and Linux developers aren't human.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    1. Re:Obviously Linux developers aren't human ;-) by BitZtream · · Score: 2, Interesting

      The fact that they care far less about backwards compatibility ABI since most things for Linux can be recompiled might have a slight effect on why Linux bugs get 'fixed' faster. You have a different definition of 'fix' than most of the world.

      --
      Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
  4. Re:Why owuld you need to access the source by stephanruby · · Score: 2, Interesting

    Look at the hex, make changes. The conept is no different then inserting or replacing a JMP to get around software protection.

    Exactly! This software sounds like it might work for getting around non-technical vendor-imposed arbitrary limitations.

    If you don't feel like paying for the Standard Edition of SQL Server 2005 anymore, now you won't have to, you can just purchase the slightly crippled Workgroup edition, and have ClearView make sure the database keeps on running after it blows by its self-imposed limits. Don't have legal copies of Windows 7, that's ok. Now your government or your office will have a contingency plan, should Microsoft decide to hit the kill switch on you.

    Not that I expect this software to work that well. In my mind, there is no substitute for having a real knowledgeable human being tinkering with an hex editor in the same manner as this software will try to do.

    That being said, I expect such software to work very well on contrived prepared examples, and I expect such software will make lots of money even if it doesn't work very well in real life. It's the nature of legacy software used in business. You can usually sell any automated magical half-baked solutions for untold amounts money if the customer comes to you at the same point he thinks he's about to lose everything (and has no idea, or no intention, on getting it fixed the right way in the first place).

  5. Re:How about by raddan · · Score: 4, Interesting

    You can't write an algorithm that takes as input another algorithm and outputs whether that second algorithm is correct or not. Since ClearView must make this decision somehow (this behavior is bad; make it good), the process cannot be algorithmic. However-- this is exactly how the vast majority of software is written now-- a programmer has a good idea about how to solve the problem, but does not "provably" solve it. If you believe language designers, that's part of the problem. ClearView just adds another layer of heuristics on top of the ones that are already there. Someone has to come up with those rules. This makes the actual work of understanding a program much more complicated. But, you know, the MIT people have been chasing AI for a long time, so maybe they don't think that understanding something is important as long as there's a good simulacrum of the thing they're trying to create. Black box computer science.

  6. Be skeptical by Anonymous Coward · · Score: 2, Interesting

    Martin Rinard is a talented man with the largest ego in academia. Of course he is "unabashed"; he's never been "abashed" for a moment in his life. Every research project Rinard has completed has been the one he claimed would scoop and shut down all other computer scientists' efforts. Take any claims he makes with a big grain of salt. It's not that he's a fraud, it's just that history shows he isn't nearly as godlike as he thinks or claims to be.

    Posted anonymously because I don't need Rinard as an enemy.

  7. Re:How about by TheLink · · Score: 4, Interesting

    Clearview doesn't have to figure out whether the entire program is correct. It just tries to fix what's known to be incorrect (and presumably whether it falls into the subset of bugs it knows how to fix).

    The sort of "correctness" and "incorrectness" for many security problems are typically "stupid mistakes" nothing very sophisticated.

    You're taking too much of the "Ivory Tower Computer Science" view on this. Car analogy - Clearview isn't figuring out whether the whole car is perfect (in the real world it's 100% likely to be imperfect anyway ;) ), all it does is help detect and fix the holes in the exterior. It doesn't have to perfectly fix stuff.

    FWIW I've already manually fixed programs without having the source, and managed to get a program to do stuff the manufacturer said the program can't do ;). I've also fixed a TCL program stored in an oracle database by hexediting the oracle DB file, but since that was TCL it doesn't count as "without the source"...

    Just because you can't make it perfect doesn't mean you can't make it work better.

    --
  8. Re:clearview by Danny+Rathjens · · Score: 3, Interesting

    !X id1

    id1: Friar Tuck... I am under attack! Pray save me!
    id1: Off (aborted)

    id2: Fear not, friend Robin! I shall rout the Sheriff of Nottingham's men!

    id1: Thank you, my good fellow!
    http://catb.org/jargon/html/meaning-of-hack.html

  9. Re:It's interesting, but software should "expire". by JohnFluxx · · Score: 2, Interesting

    Hah, we're a long way from finishing code to do text boxes and buttons.

    There are many improvements:

    1) Write them to work with opengl
    2) Write them to scale properly at any DPI
    3) Have them fully themable via CSS style sheets
    4) Have them stylable with SVG files
    5) Adding multi-touch support

    Also, the linux kernel has something like 17 seperate linked list implementations, each doing slightly different things :)

  10. Fixing bugs without accessing source code by cryptor3 · · Score: 2, Interesting

    I once filed a bug report to a developer with instructions on how to reproduce it.

    He responded with a fix that involved no changes to the source code.

    He said, "don't do that."