Title

26. FakeBugs: Buggy Software for More Security

Presenter Information

Jacob ElderFollow

Faculty Mentor(s)

Bryson Payne

Campus

Dahlonega

Proposal Type

Poster

Subject Area

Computer Science

Location

Nesbitt 3110

Start Date

25-3-2022 12:00 PM

End Date

25-3-2022 1:00 PM

Description/Abstract

Software developers today are cautious to not include bugs in their code for security. The reason being that these bugs end up being the center of vulnerabilities that can compromise a program, computer, or network. These vulnerabilities are the foundation of exploits malicious actors create. Creation of these exploits allow for the exploit developer to move further down the cyber-kill chain, keeping their access until the vulnerabilities are patched out. This process of exploitation functions in a loop: the attacker finds a bug in a codebase, the attacker exploits the bug, the software developer finds the point in the codebase they are exploiting, the developer patches out the vulnerability, and the attacker starts looking for new vulnerabilities.

The goal of this research is to deter vulnerability weaponization as a means for greater security. Normally, this means introducing patches for known bugs. However, this project aims to create fake, non-exploitable, bugs that appear as real vulnerabilities, and then introducing them into a codebase for greater security. This practice is a means of wasting the exploit authors resources during reconnaissance and weaponization phases of the cyber kill chain. These bugs functions as a deterrent, hiding any real vulnerable code with fake vulnerabilities. This creates a needle in the haystack problem for an exploit author, decreasing time to develop an exploit and increasing time for software developers to create patches for the real vulnerabilities, further increasing security. It also deters exploit authors looking for a quick way to break a program for their own benefit.

Media Format

flash_audio

This document is currently not available here.

Share

COinS
 
Mar 25th, 12:00 PM Mar 25th, 1:00 PM

26. FakeBugs: Buggy Software for More Security

Nesbitt 3110

Software developers today are cautious to not include bugs in their code for security. The reason being that these bugs end up being the center of vulnerabilities that can compromise a program, computer, or network. These vulnerabilities are the foundation of exploits malicious actors create. Creation of these exploits allow for the exploit developer to move further down the cyber-kill chain, keeping their access until the vulnerabilities are patched out. This process of exploitation functions in a loop: the attacker finds a bug in a codebase, the attacker exploits the bug, the software developer finds the point in the codebase they are exploiting, the developer patches out the vulnerability, and the attacker starts looking for new vulnerabilities.

The goal of this research is to deter vulnerability weaponization as a means for greater security. Normally, this means introducing patches for known bugs. However, this project aims to create fake, non-exploitable, bugs that appear as real vulnerabilities, and then introducing them into a codebase for greater security. This practice is a means of wasting the exploit authors resources during reconnaissance and weaponization phases of the cyber kill chain. These bugs functions as a deterrent, hiding any real vulnerable code with fake vulnerabilities. This creates a needle in the haystack problem for an exploit author, decreasing time to develop an exploit and increasing time for software developers to create patches for the real vulnerabilities, further increasing security. It also deters exploit authors looking for a quick way to break a program for their own benefit.