Instead of routinely hunting and killing bugs, new research is proposing the addition of a "chaff bug" in programs to make them safer. By making software "buggier," hackers could be baited and therefore overwhelmed by the number of bugs in a system and eventually give up their search, according to a study by researchers Zhenghao Hu, Yu Hu and Brendan Dolan-Gavitt of New York University.
Chaff bugs can be designed as "nonexploitable" when the conditions in how bugs manifest are constrained and controlled, according to the report. Under these conditions, chaff bugs can only crash a system at their worst.
To implement them, developers need to take a program they've written that is closed and go through and add a large quantity of chaff bugs. The bugs are real and intentionally detectable, said Dolan-Gavitt, an assistant professor at NYU, in an interview with CIO Dive.
Computer languages lacking in "memory safety guarantees," like C and C++, often fall victim of programming errors which lead to memory corruption, according to the research. The resulting bugs can be exploited by bad actors.
Exploiting a bug is a manual and usually time-consuming process. The same is true for detecting potential vulnerable bugs. No matter what progress has been made in automated detection, there's no guarantee that every bug can be discovered.
However, keeping in mind the skills and time needed to successfully exploit a bug is essential for security, according to Dolan-Gavitt. It always "helps to have an economic mindset" for cybersecurity. And this is the central focus of the bug research.
The addition of chaff bugs is to essentially deplete the return on investment for the bad actor because coming across one repeatedly "baffles and confuses the enemy," he said.
But Dolan-Gavitt warns that the research is "not something you want try out for yourself today" because there are still "practical issues" that are awaiting resolve. For example, the chaff bugs look artificial and "hackers would know better."
There has been "valid pushback" from the new research, said Dolan-Gavitt, because it's an idea still in its infancy that needs more exploring. Though it's hard to predict a timeline for when the research can be commercialized, even when it comes to fruition, a minefield of fake bugs could still have a negative impact on "honest" security researchers, he said.