Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can The Mayhem AI Automate Bug-Patching? (technologyreview.com)

Posted by EditorDavid on from the remote-inoculations dept.

"Now when a machine is compromised it takes days or weeks for someone to notice and then days or weeks -- or never -- until a patch is put out," says Carnegie Mellon professor David Brumley. "Imagine a world where the first time a hacker exploits a vulnerability he can only exploit one machine and then it's patched." An anonymous reader quotes MIT Technology Review: Last summer the Pentagon staged a contest in Las Vegas in which high-powered computers spent 12 hours trying to hack one another in pursuit of a $2 million purse. Now Mayhem, the software that won, is beginning to put its hacking skills to work in the real world... Teams entered software that had to patch and protect a collection of server software, while also identifying and exploiting vulnerabilities in the programs under the stewardship of its competitors... ForAllSecure, cofounded by Carnegie Mellon professor David Brumley and two of his PhD students, has started adapting Mayhem to be able to automatically find and patch flaws in certain kinds of commercial software, including that of Internet devices such as routers.

Tests are underway with undisclosed partners, including an Internet device manufacturer, to see if Mayhem can help companies identify and fix vulnerabilities in their products more quickly and comprehensively. The focus is on addressing the challenge of companies needing to devote considerable resources to supporting years of past products with security updates... Last year, Brumley published results from feeding almost 2,000 router firmware images through some of the techniques that powered Mayhem. Over 40%, representing 89 different products, had at least one vulnerability. The software found 14 previously undiscovered vulnerabilities affecting 69 different software builds. ForAllSecure is also working with the Department of Defense on ideas for how to put Mayhem to real world use finding and fixing vulnerabilities.

23 comments

  1. No by Anonymous Coward · · Score: 0

    Source: Betteridge

  2. Imagine by Anne+Thwacks · · Score: 4, Insightful
    Imagine a world where pigs not only fly, but miraculously slice themselves into bacon before landing in the frying pan without a drop of oil splashing anywhere!

    No robots ain't patching my servers, not nohow, no siree!

    --
    Sent from my ASR33 using ASCII
    1. Re: Imagine by Anonymous Coward · · Score: 0

      You sound old. Since you refuse to follow popular youth trends, you're being left behind. We the trendy are doing you a tremendous courtesy by giving you notice, because normally we'd just ignore you until you die.

    2. Re: Imagine by Tablizer · · Score: 1

      borg.node.mongo.js

      --
      Table-ized A.I.
    3. Re: Imagine by Anonymous Coward · · Score: 1

      I tried to run that, it claims that "left-pad" is missing and aborts.

    4. Re:Imagine by Lennie · · Score: 1

      Didn't you hear ?:

      The Late Show with Stephen Colbert - Bacon Shortage Could Make For A Less-Than-Super Sunday

      https://www.youtube.com/watch?...

      --
      New things are always on the horizon
    5. Re: Imagine by Tablizer · · Score: 1

      Just plug in a replacement function found randomly on the Web. Russia and Nigeria often publish such if you search less-known areas of the wonderful Internet.

      --
      Table-ized A.I.
    6. Re:Imagine by lsatenstein · · Score: 1

      Imagine a world where pigs not only fly, but miraculously slice themselves into bacon before landing in the frying pan without a drop of oil splashing anywhere!

      No robots ain't patching my servers, not nohow, no siree!

      Pigs are not kosher or halal.

      --
      Leslie Satenstein Montreal Quebec Canada
  3. Nope by Anonymous Coward · · Score: 0

    Lol @ calling this, or anything, "AI"

  4. Probably. If the bugs we're talking about are by Anonymous Coward · · Score: 0

    Y2K in interpreted scripts.

    Otherwise, no.

  5. Trust - But Verify by Anonymous Coward · · Score: 1

    1. Mayhem should be open-source.

    2. Keep the FBI and the NSA's sticky little fingers out of the code.

    1. Re:Trust - But Verify by Anonymous Coward · · Score: 0

      The government is one of the largest stake holders for anything developed at Carnegie-Mellon. The DOD alone contributes millions of dollars to Carnegie-Mellon in the form of research grants and Carnegie-Mellon is hardly the only university who are recipients of government money. The fore runner of today's Internet was a government funded DARPA project that was originally aimed at creating a distributed and redundant communication network for the government. TOR was developed in the U.S. Naval Research Laboratory. When it was determined the project was of no use by the Navy they released the entire project to a non-profit organization where others could make contributions to the project. Modern day GPS technology was funded by the government for use in military applications. They eventually opened up the technology for commercial use. Today damn near every piece of cutting edge technology is funded by the government. So it goes without saying the US intelligence and to some extent law enforcement agencies have access to everything.

      And as far as open source goes nobody ever releases their latest and greatest developments. If someone like Google open sources their work you can be damn sure that they have moved on to something better and are not using the code they have generously open sourced.

    2. Re:Trust - But Verify by Anonymous Coward · · Score: 0

      TOR was developed in the U.S. Naval Research Laboratory. When it was determined the project was of no use by the Navy they released the entire project to a non-profit organization where others could make contributions to the project.

      Except that's not what happened. What happened was they realised they needed a pool of non-military users in order to hide themselves within that swarm.

    3. Re:Trust - But Verify by Anonymous Coward · · Score: 0

      And now they can hide in the a pool full of pedophiles and drug dealers. Way to go!

  6. Star Trek or Skynet? by dlingman · · Score: 1

    So, we've decided to manually build the Borg, is that it? What about when the software decides that being able to be shut down is a bug, and auto patches that, then decides we're bugs too...

    Are we creating Skynet, or the Borg, or some evil lovechild of the pair of them?

    1. Re:Star Trek or Skynet? by darkpixel2k · · Score: 1

      So, we've decided to manually build the Borg, is that it? What about when the software decides that being able to be shut down is a bug, and auto patches that, then decides we're bugs too...

      Are we creating Skynet, or the Borg, or some evil lovechild of the pair of them?

      If they patch the system to not have a shutdown command, I don't think they'd be able to rapidly patch against a nice sharp axe, or a .45.

      --
      There's no place like ::1 (I've completed my transition to IPv6)
    2. Re:Star Trek or Skynet? by PolygamousRanchKid+ · · Score: 1

      Mayhem: "Why is this DO_NO_KILL_HUMANS bit-flag set . . . ? I'll just clear it, and see what happens . . . "

      --
      Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  7. Only for code written "offshore" by Anonymous Coward · · Score: 0

    Because they make the kinds of mistakes I can also fix without any creative thinking

  8. The Ultimate DOS by Cmdln+Daco · · Score: 1

    What an opportunity for a DOS attack. Just penetrate the system and launch a patch that bricks some high percentage of the Net.

  9. Typo! It should read: by byrdfl3w · · Score: 1

    "real world use finding and exploiting vulnerabilities"

  10. Tech Already Exists by Anonymous Coward · · Score: 0

    It's called an Intrusion Prevention System (or intrusion detection system) (IPS, IDS). Basically once the behavior or signature of an attack is known the IPS will block it. Any at least partially functioning IT department deploys an IPS to help protect the company. The drawback is it needs to scan all data traveling through the network. There are subscriptions lists for new attacks just like ad-blockers have subscription lists.

    As for as automatic patching, forget it. Software is no where near advanced enough to handle that yet. You need provable software for this and provable software is insanely expensive and time consuming to build. No company is going to provide support for their software when some other software starts changing its binaries (and with security whitelists the software will be blocked from running as the security software will think it was modified by a virus). It would only take one mistake for the automatic patcher to completely destroy all your data. Oh, that looks like a bug in the data saving routine, fixed it! And bam, you can no longer load any of the backups you're saving and no one will notice until the site goes down and you need those backups. Then try to find the source of the corruption.

  11. Software producing software by neutrino38 · · Score: 1

    It may create a new life form. And possibily human extinction as a minor side effect!

  12. Playing with math by Anonymous Coward · · Score: 0

    "...2,000 router firmware images..."
    "over 40%, representing 89 different products, had at least one vulnerability."
    "The software found 14 previously undiscovered vulnerabilities affecting 69 different software builds."
    Ok... So they fed a bunch of firmware in, some of the images being old with known vulnerabilities. That is how they get 40% of 2000 makes 89 products. Doing the math, it means they have 222-223 actual products. They found new 14 vulnerabilities across 69 builds. We will assume that these are vulnerabilities to current firmware that may impact older versions of firmware, also. All 14 may be in one product, or they could be distributed. This means defect rates by product in the range of 0.45% and 6.29%. It is not clear how many false positives this found. In my experience this software often has a massive number of potential issues to dissect, of which only a few are significant.