Slashdot Mirror

← Back to Stories (view on slashdot.org)

MIT System Fixes Software Bugs Without Access To Source Code

Posted by Soulskill on from the copies-solutions-from-stack-overflow dept.

jan_jes writes: MIT researchers have presented a new system at the Association for Computing Machinery's Programming Language Design and Implementation conference that repairs software bugs by automatically importing functionality from other, more secure applications. According to MIT, "The system, dubbed CodePhage, doesn't require access to the source code of the applications. Instead, it analyzes the applications' execution and characterizes the types of security checks they perform. As a consequence, it can import checks from applications written in programming languages other than the one in which the program it's repairing was written."

17 of 78 comments (clear)

  1. Hmmm .... by gstoddart · · Score: 5, Insightful

    And to whom do you file the bug report again?

    I can just imagine it now "Yeah, we run this cool thing called CodePhage which patched the software, but now it broke". They'll laugh at you and hang up.

    This sounds like an automated system for mangling together random bits of software and hoping you still have something usable.

    "The longer-term vision is that you never have to write a piece of code that somebody else has written before," Rinard says. "The system finds that piece of code and automatically puts it together with whatever pieces of code you need to make your program work."

    Sounds totally cool. Also sounds like complete fiction.

    --
    Lost at C:>. Found at C.
    1. Re:Hmmm .... by xxxJonBoyxxx · · Score: 4, Insightful

      >>>> system finds that piece of code and automatically puts it together with whatever pieces of code you need to make your program work
      >> sounds like complete fiction
      I think we already do with with libraries and dependencies...just not at the executable level.

    2. Re:Hmmm .... by H0p313ss · · Score: 2

      Sounds totally cool. Also sounds like complete fiction.

      I think you mean Phiction.

      --
      XML is a known as a key material required to create SMD: Software of Mass Destruction
    3. Re:Hmmm .... by bondsbw · · Score: 2

      DLL Hell is a known problem and measures are usually taken to prevent breaking too much software in the wild.

      This seems more like replacing a crying baby with one that looks about the same but doesn't cry as much, and saying "same thing".

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    4. Re:Hmmm .... by Anonymous Coward · · Score: 2, Interesting

      Also: Versioning.

      VERSIONING, VERSIONING, VERSIONING, VERSIONING...

      What is your version number after this 'fix'? This seems like a nice way to fork off yet another forked fork of a forked codebase, except now we're forking binaries as well as sources.

      Y'know those "Warranty Void If Removed" stickers they put on electronics? Y'know those painted tamper-proof screws they put in your Mac? They put those there to stop you fucking around inside the box, because you can easily fuck things up and they won't know how to fix it. A binary file has an implied "Warranty Void If Removed" sticker on it. You fucked with it. Good luck.

    5. Re:Hmmm .... by Pieroxy · · Score: 3

      The problem is that it gives a false sens of security. Your favorite bank can now fire those two last skilled people and get 10 more dumb indians (note: not all indians are dumb) to piss off shitty code. Just run their "CodePhage magic" and you still have a software full of holes (but a little less than if you didn't run it.)

      The problem is just that now that you have fired those two people that knew what they were talking about, you're just clueless about what is going on.

      --
      Write boring code, not shiny code!
    6. Re:Hmmm .... by ckatko · · Score: 2

      What about this system detecting I have a bug and then replacing my secure, working software module with a new unknown exploit? Or even a known exploit ala Nation-State?

    7. Re:Hmmm .... by VorpalRodent · · Score: 5, Funny

      I tried that, but the parent process was *not* happy!

      --
      Take it to the limit, everybody to the limit, come on, everybody fhqwhgads.
    8. Re:Hmmm .... by RabidReindeer · · Score: 3, Funny

      >>>> system finds that piece of code and automatically puts it together with whatever pieces of code you need to make your program work

      Hey! Why does my Windows 10 system boot up with a picture of a penguin?

  2. Excellent Now Translate by pubwvj · · Score: 2

    An excellent idea. On a very closely related thought this same sort of idea can be used to translate software so that what ran on older legacy platforms or incompatible platforms can automatically be able to run on newer hardware. Imagine you buy the latest greatest Cray SuperComputer Watch and it will run all your Android, Apple Watch, iPhone, MacOSX, Windows, Unix, DEC, Exidy, TRS-80, CPM and other software. Suddenly you can upgrade your hardware without the worry of losing access to your data. We need this in a big way.

  3. "TFS" by halivar · · Score: 2

    I was really confused, because of the context my brain immediately went to Team Foundation Server. I was like, "What? The Fucking Summary never mentioned TFS... oooooh, I see...."

  4. Malware vector... by bwcbwc · · Score: 2

    The NSA is going to love this one. If the Codephage can inject "clean" code, there's nothing that prevents it from being revamped to inject malicious code.

    Alternatively, if your site needs a level of security where you need this type of "live" patching, you need a level of security that would prevent CodePhage from making the updates in the first place.

    Sounds like it might be a useful test and bug detection tool, but not for live environments.

    --
    We are the 198 proof..
    1. Re:Malware vector... by FranTaylor · · Score: 2

      Alternatively, if your site needs a level of security where you need this type of "live" patching,

      why is this only applicable in high security applications? why can't it be used to fix bugs in user interfaces?

  5. Sayonara Copy Protection and Key Checks!!! by neversleepy · · Score: 3, Insightful

    Woo hoo. Finally I can treat the copy protection and CONSTANT recurring key checks as bugs in the software I have paid for!

    1. Re:Sayonara Copy Protection and Key Checks!!! by Bert64 · · Score: 4, Insightful

      Pirates already have versions with these bugs fixed, widely available from various torrent sites.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  6. Bugs magically disappear when I am called by RPGonAS400 · · Score: 2

    A user calls and says they have a problem with program x so they call me. When they get there, they cannot reproduce the bug. We assume that the software know that it is whipped once I come into the picture so it fixes itself. You would not believe how many times this has happened over 30+ years.

  7. Re:Smell test by WilCompute · · Score: 2

    In fact, you are correct. The article clams they don't have to have the source, but that is only partly true. The recipient, the program that has a bug, must have the source code. The donor, the program that does not suffer from the bug, does not need to have the source code. And this is perhaps the interesting part.

    So, say you are creating an open source Office program, and you obviously need to open .doc files. You have mostly everything working, but now you have this one file that crashes your program, but doesn't crash Office. Instead of spending the time to find it, CodePhage allows you to point it at your source code, and at Office, and it will build an internal set of debug like codes of each program. You need to run it on your code with a working example file, then run it with the non working file, it will figure out what you are doing, then it will open the same file with Office, find out if you are doing something out of order or if there is a check you aren't running, and the article describes in a little more detail how it works, though not the nitty gritty. It then modifies your source code, and runs it again, and see if the changes fix it, if not it will continue until it does.

    The say in general the bugs they tested were fixed in 20 to 90 minutes.

    --
    NDxTreme Content on the Edge.