Chaff Bugs: Deterring Attackers by Making Software Buggier

08/02/2018
by   Zhenghao Hu, et al.
0

Sophisticated attackers find bugs in software, evaluate their exploitability, and then create and launch exploits for bugs found to be exploitable. Most efforts to secure software attempt either to eliminate bugs or to add mitigations that make exploitation more difficult. In this paper, we introduce a new defensive technique called chaff bugs, which instead target the bug discovery and exploit creation stages of this process. Rather than eliminating bugs, we instead add large numbers of bugs that are provably (but not obviously) non-exploitable. Attackers who attempt to find and exploit bugs in software will, with high probability, find an intentionally placed non-exploitable bug and waste precious resources in trying to build a working exploit. We develop two strategies for ensuring non-exploitability and use them to automatically add thousands of non-exploitable bugs to real-world software such as nginx and libFLAC; we show that the functionality of the software is not harmed and demonstrate that our bugs look exploitable to current triage tools. We believe that chaff bugs can serve as an effective deterrent against both human attackers and automated Cyber Reasoning Systems (CRSes).

READ FULL TEXT

page 1

page 2

page 3

page 4

research
10/08/2021

TFix+: Self-configuring Hybrid Timeout Bug Fixing for Cloud Systems

Timeout bugs can cause serious availability and performance issues which...
research
12/31/2021

SOK: On the Analysis of Web Browser Security

Web browsers are integral parts of everyone's daily life. They are commo...
research
03/28/2021

Watch out for Extrinsic Bugs! A Case Study of their Impact in Just-In-Time Bug Prediction Models on the OpenStack project

Intrinsic bugs are bugs for which a bug introducing change can be identi...
research
07/01/2022

Is this bug severe? A text-cum-graph based model for bug severity prediction

Repositories of large software systems have become commonplace. This mas...
research
11/03/2017

Automated Detection, Exploitation, and Elimination of Double-Fetch Bugs using Modern CPU Features

Double-fetch bugs are a special type of race condition, where an unprivi...
research
08/31/2023

LLM in the Shell: Generative Honeypots

Honeypots are essential tools in cybersecurity. However, most of them (e...
research
03/31/2023

Decentralized Attack Search and the Design of Bug Bounty Schemes

Systems and blockchains often have security vulnerabilities and can be a...

Please sign up or login with your details

Forgot password? Click here to reset