Cramming Software With Thousands of Fake Bugs Could Make It More Secure, Researchers Say

It sounds like a joke, but the idea actually makes sense: More bugs, not less, could theoretically make a system safer. From a report: Carefully scatter non-exploitable decoy bugs in software, and attackers will waste time and resources on trying to exploit them. The hope is that attackers will get bored, overwhelmed, or run out of time and patience before finding an actual vulnerability. Computer science researchers at NYU suggested this strategy in a study published August 2, and call these fake-vulnerabilities "chaff bugs." Brendan Dolan-Gavitt, assistant professor at NYU Tandon and one of the researcher on this study, told me in an email that they've been working on techniques to automatically put bugs into programs for the past few years as a way to test and evaluate different bug-finding systems. Once they had a way to fill a program with bugs, they started to wonder what else they could do with it. "I also have a lot of friends who write exploits for a living, so I know how much work there is in between finding a bug and coming up with a reliable exploit -- and it occurred to me that this was something we might be able to take advantage of," he said. "People who can write exploits are rare, and their time is expensive, so if you can figure out how to waste it you can potentially have a great deterrent effect." Brendan has previously suggested that adding bugs to experimental software code could help with ultimately winding up with programs that have fewer vulnerabilities.

Few "Exploits" not "Vulerabilities"

[DalM]

"Brendan has previously suggested that adding bugs to experimental software code could help with ultimately winding up with programs that have fewer vulnerabilities."

This is not correct. His theory seems to be that you will get fewer exploits. The number of vulnerabilities will remain constant.

Re:Are you serious?

[jellomizer]

This idea is like the Honey Pot idea for network protection.

This was popular 20 years ago, where most hacking was targeted at a network, by individuals. You get a system to similar an insecure pc, have the hackers break in think they are getting away with murder, while it collects information on who is hacking it and how. And using that information to protect your real network.

Hacking rarely works like that now. Either it is fully automated so a honey pot server would just be a statistical issue while the other servers are getting hit, or if it is more targeted it will often go in via stupid users on the inside of the firewall.

Most security glitches are not bugs in the traditional sense. For the most part buffer overflows have been fixed. But from lazy software development from developers not thinking about security at the time.

Re:Are you serious?

[bluefoxlucid]

Honeypots alert you to activity. A network scan hits them. There is nothing useful on this web server, yet someone tried to browse it. Someone tried to connect to the server's file share. You're able to identify malicious traffic and hosts.

Software bugs don't tell people anything. You put it on a non-networked machine, you probe at it, you take it apart, you crash it, you tell no one.