Feeds

back to article DARPA slaps $2m on the bar for the ULTIMATE security bug SLAYER

It's a bad day for the vulnerability scanning industry: DARPA has announced a new multi-million-dollar competition to build a system that will be able to automatically analyze code, find its weak spots, and patch them against attack. Mike Walker, DARPA program manager, said that the challenge was to start a "revolution for …

COMMENTS

This topic is closed for new posts.
Bronze badge

Ambitious, much?

"... automatically analyze code, find its weak spots, and patch them against attack."

Once upon a time, there was only lint. And it wasn't used. And then there came many other tools, and they weren't used, either. There came methodologies, and they weren't used. There came new languages, and they weren't used.

And DARPA wants a tool to protect fools against themselves???

Maybe they should have worded this, "Tool to protect tools from tools."

14
0
Silver badge

Re: Ambitious, much?

Agreed. The problem isn't a lack of tools and methodologies - while there's plenty of room for improvement in both areas, the vast majority of software developers aren't making significant use of either. The problem is practice, and the lack of incentives to improve it. For most developers security vulnerabilities, and poor code quality in general, are externalities: they don't get penalized for them, and they don't get rewarded for preventing them.

That's not to say that we couldn't stand some tweaks in the available tools to make them easier to use. I've been on the splint mailing list for several years, and new adopters keep running into the same problems. If it were part of the typical toolchain for C developers, a lot of those would have been ironed out by now.

1
0
Silver badge

hmm

Bets that the top 3 entries or so will suddenly disappear from the marketplace after the competition. The US government can make offers you can't refuse. Being able to print your own money has its advantages.

1
2
Anonymous Coward

Re: hmm

"The US government can make offers you can't refuse. Being able to print your own money has its advantages."

Actually, the US government does not print the money anymore. The central banks circle jerk it into existence by lending non-existent money to each other and calling it money creation.

0
0
Silver badge

hmm

Also didn't Turing prove long ago that its not possible for one program to discover all flaws in every other program due to similar logic as the halting problem? Still catching the obvious ones is a good start especially with all the outsourcing going on.

3
0
Silver badge

Re: hmm

This links explains why software can never be truly fully tested which is the same for testing software or people.

http://badsoftware.com/imposs.htm

1
0
Silver badge

Re: hmm

You can prove pretty trivially that verifying all code paths for a given program and arbitrary input, in general, is isomorphic to the Halting Problem.

Note, though, that the HP properly only applies to machines with infinite storage, and no physically-realizable computer has infinite storage. Any possible real computer can be reduced to a deterministic finite state machine, and modeled completely by another computer with exponentially more (but still finite) storage. For real computers, what the HP really says is general program analysis is asymptotically infeasible, because eventually the only way you'll be able to analyze some inputs would require more storage than you have physical reasons for. (Basically, the HP says "if you treat your input as a TM, some inputs will not be computable"; the alternative is treating your input as the less-powerful machine it really is, and then some inputs will be too large.)

1
0
Silver badge

And then...

When the new system is up and running, somebody finds and exploits a weakness in it, and pwns the World!

4
0
Silver badge
Joke

Re: And then...

>and pwns the World!

And then the world will suddenly be inundated by flying penises 4 teh lulz.

3
0

Darpa the undisclosed truth

DARPA is that an dyslectic misspelled anagram for NSA

and the non disclosure agreement that you sigh up to before you can participate

0
2
Terminator

Skynet

"... automatically analyze code, find its weak spots, and patch them against attack."

If it's your own code.

If it's the others, then attack.

So it beings.

Puny humans.

7
0
Silver badge
Devil

A vuln scanner that autopatches vulnerabilites it locates?

Your next IT department meeting is going to go like this....

"And at midnight, the new autoscanner went live. Working just fine so far."

(Huffing and puffing) Whew! Sorry I'm late! We're so buried at the help desk that even I am taking calls. Started at about midnight. Applications are going down all over the company. I just got an earful from Finance about SAP being down while we're trying to close the quarter."

5
0

thats not a bug, its a feature

Other than really stupid flaws which can be detected automatically with tools like lint, if anyone chooses to run them, you cant do this automatically. How can you tell if its a bug or expected operation. I can see these tools closing holes, and breaking as much functionality, and it taking just as long for a human to create the original intended result.

1
0
Bronze badge
Coffee/keyboard

DARPA and security - an oxymoron

Stupid gubbamint:

Left to their own devices, they won't come up with anything better than Secunia PSI, Ninite, or even File Hippo update checker - but they will damn well waste taxpayers money on it - to FAIL!

0
1
Gold badge
Unhappy

The Programmers Apprentice reborn!

Note that DARPA is the almost impossible mission force.

But when you think about it this does seem a good question. Why can't you use software to help fix your problems with software?

But as people have pointed out how many of these problems could have avoided if existing tools were used at the right time in the development process?

0
0
Holmes

"DARPA has announced a new multi-million-dollar competition to build a system that will be able to automatically analyze code, find its weak spots, and patch them against attack."

So they'll be out scanning any OS they can find and pass on the information of weaknesses found to the NSA who can exploit all those machines not patched!

3
0
Bronze badge
Childcatcher

What's Good for the Goose...

So they'll be out scanning any OS they can find and pass on the information of weaknesses found to the NSA who can exploit all those machines not patched!

Actually, this is exactly the sort of thing that the NSA does not want out in the public eye. If this can be made to work, it will make it to market, which in turn will make the NSA's (and similar groups around the world) job that much more difficult. If this was something the NSA was going to back, you would not be reading about short of a Snowden clone releasing the news into the wild.

0
0

My Entry

The ED209 vulnerabilty management model:-

I'll just turn it on...

"A vulnerability has been detected on this system. You have 10 seconds to comply"

"Vulnerability is still active on this system. You have 5 seconds to comply"

"Patching process active..."

Rapid burst of Machine gun fire.

"Patching complete, System vulnerability neutralized"

Well the system is now protected against attack, they didn't specify if it had to be usable again!!

3
0

Wow you guys are pessimistic. Have you seen the amazing things DARPA have been coming up with? I remember the know it alls commenting that a car will never be able to drive itself when DARPA kicked off that challenge and now were looking at ALL cars one day driving by themselves.

Its research, they are trying out ideas, moving forward. Its technology get it?

2
2
Rol
Bronze badge

Statement of intention

If programs had to declare their interactions with the system in much the same way they declare variables, then I can see a solution unfolding.

It isn't about catching errors, it is about catching code that goes poking around outside its remit, eg a video converter that wants access to your email addresses. If the video converter had specified that action in its declarations the user could easily see this and question why. attempting it without making that declaration the program will be stopped in its tracks and flagged as seriously suspect.

So basically all programs run in a self-defined sandbox.

As for buffer busting code and the like, well, that is just down to an incompetent OS and really should be fixed by now, that is, if the NSA has tired of this approach.

1
1
Bronze badge

Re: Statement of intention

Um, no, that's not it at all.

Once upon a time, like about 18 years ago, I was hired to do "software maintenance" on a product. Well, what I received was a .zip file 20Mb in size, and that was it. The product was a gateway router, running in the background on MS-DOS. 2/3 of the code was C, and 1/3 was assembly. The compiler vendor was out of business, the software had been hacked on for a decade, there were over 100 unique compilation flags (#ifdef, for memory models, code that wasn't used, and on and on), a terrible number of global variables, structures that were accessed from anywhere in the code, and the mess was absolutely not portable to either Borland or Microsoft. The source code control database was missing, and evidently the programmers weren't using it anyways because the product was compiled from many similar directories depending on what they were kind of trying to do.

I had to get everything compiling again, and fix bugs in it. And yes, I fixed every bug I could reproduce.

So when DARPA wants a tool that can handle a mess like this, I say, "Go for it, fools!"

The closest that I've seen has been from Microsoft, with the Pex tool. The tool can follow a C# program's path, map it out, and generate tests. However, it's easy to write code that Pex can't map, and so the tool becomes useless.

Here's another couple of tools from Microsoft: Stylecop and FXcop. Stylecop works on the source code, and fxcop works on the compiled code. How often are these avoided? All the time.

The problem is not the lack of tools or methodologies, it's the lack of will to write good code. Java was supposed to be a write-once-run-anywhere solution, and provide a marvelous bulwark against malicious and heinous activities by miscreants. Now, how many times has Java and .NET been patched for security holes? Does using either result in inherently secure programs? Sorry, no, try again.

4
0
Rol
Bronze badge

Re: Statement of intention

Um well, you managed to make my case a little stronger.

If what DARPA is asking for is impossible, then we need to attack this from another angle.

Stopping bad code from crashing a system is just one facet and while important isn't really a threat when compared to the antics of malicious code, which rarely announces itself by downing a system, but rather lingers around slurping data or even corrupting it.

If, as I suggested, we implement declarations for all system actions a program wishes to undertake, then we can at least audit those declarations and trap errant code when it tries to overstep its boundaries.

eg a "free" registry cleaner, that promises to report on all the faults should declare a read only operation on the hard drive and therefore be prevented from creating problems to force the user to buy the unfree upgrade necessary to make the repairs.

It is simple, implementable and with the ever complex environments our systems are open to, a must, if we are ever going to trust these things to do as they promised.

1
0
Silver badge
Joke

Pretty easy if you ask me...

Analyze code: Boot up system

Find defects: Is it Microsoft Windows

Fix defects: Remove Windows, Install Linux.

Do I get the reward?

1
0

This is a NO approach.

There is nothing that goes far beyond the human mind, and henceforth, people don't see how cannot defeat the human mechanism of understaning how a web application or a network firewall works. It's been in the diary of hackers, who review code in thier own creative approach which also involves not only detecting flaw to the source code but also generate or create relative payload to exploit or test POC.

- Coded32

0
0
Gold badge
Terminator

Clearly an advanced goal.

It would seem that the system must be capable of Binary Object Recognition and (possible) Generation as well.

Is resistance futile?

I think not.

0
0
This topic is closed for new posts.