Most ethical hackers prefer to lend their services to eliminate potentially harmful bugs. But one team of white hats wants to test the opposite approach to thwarting bad actors – by wasting their time and resources with non-exploitable, intentionally planted bugs.
The “chaff” bugs, as the team calls them – referencing the World War II radar countermeasure in which aircraft fighters would spread thin pieces of aluminum to confuse adversaries – would serve as decoys in a compiled version of a program, researchers Zhenghao Hu, Yu Hu, Brendan Dolan-Gavitt of the New York University explain.
The chaff bugs’ special ability is their unexploitable nature, the geeks point out. Cybercriminals may think they’ve hit the jackpot and start working on an exploit, only to later find they’ve burnt the midnight oil in vain.
“By carefully constraining the conditions under which these bugs manifest and the effects they have on the program, we can ensure that chaff bugs are non-exploitable and will only, at worst, crash the program,” the researchers explained.
“Although in some cases bugs that cause crashes constitute denial of service and should therefore be considered exploitable, there are large classes of software for which crashes on malicious inputs do not affect the overall reliability of the service and will never be seen by honest users. Such programs include most microservices (which are designed to gracefully handle the failure of a server by restarting it), server-side conversion utilities, or even web servers such as nginx that maintain a pool of server processes and restart any process that crashes,” the team added.
There are some challenges, though. As the trio points out, anyone using this deterrent must be completely sure the chaff bugs aren’t, in fact, exploitable.
Secondly – and this is still a work in progress – the bugs need to look and feel “natural.” In other words, chaff bugs need to be indistinguishable from bugs that haven’t been crafted intentionally.
Finally, the method can’t be used safely with source code – only with programs that have already been compiled.
“Developers are unlikely to be willing to work with source code that has had extra bugs added to it, and more importantly future changes to the code may cause previously non-exploitable bugs to become exploitable,” they said.
Despite the bumpy road ahead, the team is optimistic about their development.
What about you? Do you think chaff bugs are a sound concept, or could this method create more problems than it solves?