https://arxiv.org/pdf/1808.00659.pdf

Abstract—Sophisticated attackers find bugs in software, evaluate their exploitability, and then create and launch exploits for bugs found to be exploitable. Most efforts to secure software attempt either to eliminate bugs or to add mitigations that make exploitation more difficult. In this paper, we introduce a new defensive technique called chaff bugs, which instead target the bug discovery and exploit creation stages of this process. Rather than eliminating bugs, we instead add large numbers of bugs that are provably (but not obviously) non-exploitable. Attackers who attempt to find and exploit bugs in software will, with high probability, find an intentionally placed non-exploitable bug and waste precious resources in trying to build a working exploit. We develop two strategies for ensuring non-exploitability and use them to automatically add thousands of non-exploitable bugs to real-world software such as nginx and libFLAC; we show that the functionality of the software is not harmed and demonstrate that our bugs look exploitable to current triage tools. We believe that chaff bugs can serve as an effective deterrent against both human attackers and automated Cyber Reasoning Systems (CRSes).

 

I only browsed this and, honestly, it is going to take a serious read for me to decide whether the paper makes sense or sets new standards in ill-advised strategies..."In this paper, we have presented a novel approach to software security that adds rather than removes bugs in order to drown attackers in a sea of enticing-looking but ultimately non-exploitable bugs" Ok, gotchya, let's make software that is really crappy but can't be exploited as easily and also we get to fight back?? Who is the big winner and the big loser with that? Ok, assume they are using the term "bug" liberally - how long would it take automated exploiting schemes to map it out - once?

No matter, because they gave me my new (to me) favorite term...."stack canaries". Is this from the canary in the mine alerting workers by its demise? Excellent! I have to work this into daily conversation some how.

 

I only browsed this and, honestly, it is going to take a serious read for me to decide whether the paper makes sense or sets new standards in ill-advised strategies..."In this paper, we have presented a novel approach to software security that adds rather than removes bugs in order to drown attackers in a sea of enticing-looking but ultimately non-exploitable bugs" Ok, gotchya, let's make software that is really crappy but can't be exploited as easily and also we get to fight back?? Who is the big winner and the big loser with that? Ok, assume they are using the term "bug" liberally - how long would it take automated exploiting schemes to map it out - once?

No matter, because they gave me my new (to me) favorite term...."stack canaries". Is this from the canary in the mine alerting workers by its demise? Excellent! I have to work this into daily conversation some how.

It's a useful strategy for short term protection from script-kiddies. Countermeasures from professionals will be developed quickly.
I can see it being useful as a version of the old honeypot. Divert the target to a nice juicy system, feed them traceable information and then follow the 'money'. Chaff only works for so long at incoming missiles, it mainly buys you time to target and get the guy who's shooting at you.

 

Without reading the paper, this raises a red flag: "...and demonstrate that our bugs look exploitable to current triage tools."

How long will it take the other side to adapt the same strategies that the people generating the chaff bugs use to ensure non-exploitability to improve their exploit tools to not only identify and ignore the chaff bugs, but to also better identify genuine bugs that are non-exploitable coincidentally and ignore them, as well, with the net result that result from this work is a net gain for the other side?

If and when I get a chance to read the paper, I will be most interested in the degree to which the authors consider the likely response of the players they are trying to defeat.

 

If and when I get a chance to read the paper, I will be most interested in the degree to which the authors consider the likely response of the players they are trying to defeat.

Good old game theory. Interesting stuff.

One think I learned in business was how dangerous it was to win. I mean a decisive win that changes the market, not just the day by day battles of winning one account here while losing another over there. If you're in a market with just a few competitors, and in my case it was really just one, and you make an advance that puts you decisively ahead of your competition, your competitors aren't going to just go away, they're going to innovate to restore the balance of power. And their research and innovation may leapfrog whatever you've done. So it comes down to, how much can you clobber your competition without triggering a full blown retaliation?