Camouflage and distraction have long been hallmarks of warfare, and it’s no different when it comes to the cyber-front. A group of researchers from New York University are taking the idea further than it’s gone before with the idea of introducing decoy bugs into code – ultimately non-exploitable vulnerabilities that can attract attacker interest and waste their time, thus eating up their resources.
It’s a shiny-object approach, meant to “drown attackers in a sea of enticing-looking but ultimately non-exploitable bugs,” according to the paper the team released last week. “Rather than eliminating bugs, we instead add large numbers of bugs that are probably (but not obviously) non-exploitable.”
When they stumble across these “chaff bugs,” as the researchers dubbed them (a nod to using strips of aluminum foil on aircraft to baffle enemy radar), the idea is that the bad actors will spin their wheels, attempting to develop a working exploit.
Of course, for the approach to be feasible, the bugs have to look promising without actually providing a path to harming the system. Secondly, there should be a way to add these kinds of false flags in an automated fashion – the only way to enable the approach at scale.
To that end, the academics developed strategies for both ensuring non-exploitability and automating the addition of thousands of non-exploitable bugs to real-world software, such as nginx and libFLAC.
To automatically add large numbers of bugs to software, the researchers leveraged a previously developed white-hat system called LAVA, which can be used for automatically adding potentially exploitable memory safety errors into C/C++ programs in order to test bug-finding tools. The researchers repurposed it to test their idea.
LAVA crawls software code to see where adding bugs would be feasible. To do that, it examines a set of input files to a given software program, performing dynamic taint analysis to determine how each byte of the input file is used in the program, the report explained.
“It looks for points in the program where the input is dead (not used to decide any branches up to that point in the program), uncomplicated (not transformed) and available in some program variable. These variables, which are called DUAs, represent attacker-controlled inputs that can be used to later trigger memory corruption in the program. When a DUA is encountered, its value is copied to a global variable so that it can later be retrieved at the point where the memory corruption is triggered.”
For their purposes, the NYU team created new attack points for LAVA that cause controlled stack and heap overflows at arbitrary points in a given program. At the attack point, a trigger condition is also checked before the DUA is allowed to corrupt memory; this ensures that the bug is triggered under controlled conditions.
“By carefully constraining the conditions under which these bugs manifest and the effects they have on the program, we can ensure that chaff bugs are non-exploitable and will only, at worst, crash the program,” the researchers noted. “There are large classes of software for which crashes on malicious inputs do not affect the overall reliability of the service and will never be seen by honest users.”
These include most microservices (which are designed to gracefully handle the failure of a server by restarting it), server-side conversion utilities or web servers, such as nginx, that maintain a pool of server processes and restart any process that crashes, the report explained.
The researchers then implemented two types of non-exploitable bugs: Bugs overwriting unused data; and bugs overwriting sensitive data but over-constrained to non-exploitable values.
“We implement the unused data overwrite bugs as a stack overflow, overwriting an unused local variable, and implement both stack- and heap-based overflows with the over-constrained value strategy,” the researchers said.
While the work is certainly promising, the researchers did admit that there’s a long road ahead before the technique is ready for commercial use. For one, they focused mainly on the non-exploitability aspect of the research, and less on camouflaging the vulns to seem legitimate.
“[We have] not yet attempted to make our bugs indistinguishable from real bugs,” they noted. “This means that they currently contain many artifacts that attackers could use to identify and ignore them. In future, work, we hope to investigate techniques for making our bugs blend in with the surrounding code, and change their triggering conditions to something more natural than the current test against a magic value.”
Also, the diversity of bugs injected by the prototype was narrow at best, which means that an attacker could simply look for known chaff bug patterns in order to identify the decoys.
Nonetheless, initial results are promising, and the team plans to continue development.
“Our prototype, which is already capable of creating several kinds of non-exploitable bug and injecting them in the thousands into large, real-world software [packages], represents a new type of deceptive defense that wastes skilled attackers’ most valuable resource: time,” the team concluded. “We believe that with further research, chaff bugs can be a valuable layer of defense that provides deterrence rather than simply mitigation.”