MIT Technology Review August 17, 2018
Researchers at New York University introduced a new defensive technique called chaff bugs. Rather than eliminating bugs, they add large numbers of bugs that are provably (but not obviously) non-exploitable. Attackers who attempt to find and exploit bugs in software will, with high probability, find an intentionally placed non-exploitable bug and waste precious resources in trying to build a working exploit. They developed two strategies for ensuring non-exploitability and use them to automatically add thousands of non-exploitable bugs to real-world software such as nginx and libFLAC; they showed that the functionality of the software is not harmed and demonstrated that their bugs look exploitable to current triage tools. They believe that chaff bugs can serve as an effective deterrent against both human attackers and automated Cyber Reasoning Systems (CRSes)… read more. Open Access TECHNICAL ARTICLEÂ
Why adding bugs to software can make it safer
Posted in Cyber security and tagged Software security.