...it will mean (once they have this created) they have a nice long list of non-public vulnerabilities in whatever source code they manage to force out of their suppliers to exploit
The US Defense Advanced Research Projects Agency (DARPA) is recruiting members of the hacking community to join its latest Grand Challenge competition: a big-money contest to build software capable of finding and fixing security holes in new code. "We've looked to the expert community, the computer security community, and the …
Static code checkers like FindBugs and PMD are great for Java code checking, and the built-in NetBeans code quality checks keep getting better.
C is so very dated now, has no built-in dynamic typing or bounds checking, has naked pointers, and there is no standard debug linkage to source code in compiled code, so it will be very ambiguous to check for issues. I suspect that a proper checker will have to do the equivalent of the combined source and compiled binary checking like FindBugs, and use a specific CPU emulator to recursively step through C code paths, compiled to machine code, to do a proper job, especially since many bugs will be compiler, CPU, platform library, and platform hardware dependent.
One problem with a lot of code checks is knowing which rules should sensibly apply to each section of code; this problem is solved for Java with checker configuration and code annotations, to selectively disable warnings for contextually sensible breaking of code checker rules.
So this automated thingy found 1/3 of the bugs in Windows 7 eh?
Now does that mean a)Humans found the other 2/3 or b) it is project that 2/3 of all bugs are not yet found?
I think it's a, but I cannot actually prove it's a).
What people will do to save investing in proper programmer training.
Autofix is analyzing all available code...
Found 1 error(s) in program "Autofix".
ERROR: Buffer overrun.
Attempting to fix...
Cannot alter program "Autofix".
Found 2 error(s) in program "Autofix".
ERROR: Buffer overrun.
ERROR: Cannot self-modify.
Attempting to fix... .... Old Handle Posted Saturday 7th December 2013 00:24 GMT
Nice one, Old Handle. That's the Name of the Great IntelAIgent Game, Global SCADA Systems Capture. :-)
And one which any system which thinks IT be running things, would purchase with QE billions to ensure* that leading star players win everything for established legacy command and control teams/existing systems admin.
Of course, to try and ensure and encourage such a positive supporting disposition towards what may be far too antiquated systems for future great which be targets for export and exploits that ameliorate and/or exaggerate abuse and misuse, will obviously require necessarily vital acceptance of mutually beneficial fundamental change to current key driver protocols.
Would DARPA be geared to handle that upgrade or would it be a Big Brother drone and/or DOD Pentagon clone one would be dealing with and sharing Cracker C Code?
And we haven't even started to mention the interest which might be garnered and delivered for glorious bounty to the East.
That last paragraph and sentence should read .......And we haven't even started to mention the interest which might be garnered and delivered for glorious bounty to the East, both Near, Middle and Far, Exotic and Erotic and Erratic.
And here be Blighty's challenge clone program ...... https://cybersecuritychallenge.org.uk
Sadly this competition will attract only those hackers or programmers thirsting for fame and money, but the 'best' hackers or programmers will never participate in such a game where their anonymity would be exposed simply by entering. Uh... says DARPA, reveal yourself to us... and we will let you 'playoff' against others of your kind. Sounds to me like only a stupid groundhog would stick its head out of the ground when it hears hunters walking around looking and ready to shoot at the first head that pops up.
Simply think of it this way : the most famous hackers in the world are THE ONES THAT WERE CAUGHT. You could almost say that the ones that were caught are the world's 'stupidest' hackers. Is Kevin Mitnick a poster boy for a smart hacker or a stupid one that got caught and found a way to capitalize on his fame to make money. The irony of a stupid hacker teaching the world how to fend off phishers and computer con artist leaves me always wondering how the 'stupid' hacker ( the one that caught) can teach corporations how to fend off 'smart' hackers ( the ones that have not been caught ).
The 'best' hackers and programmers in the world are the ones who silently and anonymously slave away at their computers wreaking havoc on the world or who simply enjoy doing what they do for fun. You don't hear the names of these 'world class smart hackers' mentioned on 'hacker forums' or even in the security intelligence world... because those blackhats have never revealed themselves to play 'capture the flag' type games or give away their privacy and anonymity.
So DARPA will attract the usual group of DWEEBS seeking their fifteen seconds of fame, the hope of a job offer or the cash prize, at the cost of bringing their talents to the attention of the law enforcement agencies and having their particulars added to a 'usual suspect list', that will eventually come back to haunt them someday - when they least expect it.
With respect to automating the process of code / programming inspection... let me just conclude by the one truth that I have known and acknowledged over my thirty years in this 'game' - anything coded by man can be uncoded and exploited by another man.
A pre-programmed robo-code checker will never have the learned intuition and adaptability that a human code/program exploiter has. At best, it will have the level of effectiveness demonstrated by most anti-virus/malware detection software programs - which as history has shown always lags one step or two behind those blackhat creators of those types of malwares.
So really.... what is DARPA really investing their $2million bucks on ?
DARPA doesn't seek to enlighten the world or make computing safer. They may have done many years ago, but those times are long gone, particularly since 9/11.
There is no way you can win as a hacker. You can only temporarily fool yourself into believing that attacking foreign computing systems somehow is a good thing, then you will realize you have done terrible mistakes. However unlike a normal job you cannot quit easily.
If DARPA wanted to improve the world. They would start projects to build type safe computers and computer assisted code proving systems where you need to prove your code doing the right thing. Defence would be so much more beneficial to society, but that doesn't seem to be the target DARPA is heading for. All they want is new toys for people in funny clothes to play with.
So really.... what is DARPA really investing their $2million bucks on ? ....Anonymous Coward Posted Sunday 8th December 2013 09:43 GMT
Well, that's a no-brainer, AC. Peanuts are for monkeys.
And take an upvote for a deservedly good and accurate post. Bravo. Spoken like a true patriot.
Would you like to work for an increasingly crooked system with collapsing incompetent admins?
"the 'best' hackers or programmers will never participate in such a game"
I can't work out whether you are getting hackers and crackers mixed up or if you are assuming either that all "hackers" are blackhats or that blackhats are by definition better than whitehats.
There is already a programming language build for security, which has existed since the 80's. Spark is a language build on top of Ada, an already secure language, and added mathematical sound proving mechanism. And other security features.
Here is a sample code:
procedure Sample(x, y : in out float)
--# derives x from y &
--# y from x;
z := x; x := y; y := t;
This is why I agree with Anon. on DARPA's intentions. If they are able to complete this project they will be able to find, even if miner, errors in code and use it for their advantage for a relative miner cost. Which sound pretty good considering how they now have to go to the open market.