Researchers point out that software security will be improved by 'embedding a lot of fake bugs'

In software development, the closer the number of bugs is to zero, the higher the security will be. However, it is difficult to find bugs that occur only under very special conditions, and it is said that it is impossible to crush all bugs. Research teams such as Brendan Doran Gavit, who is an assistant professor in computer science at New York University Tandon Institute of Technology, embed a large amount of "fake bugs" in the program rather than reducing bugs as a way to enhance software security It showed that there is a way.

[1808.00659] Chaff Bugs: Deterring Attackers by Making Software Buggier
https://arxiv.org/abs/1808.00659

Cramming Software With Thousands of Fake Bugs Could Make It More Secure - Motherboard
https://motherboard.vice.com/en_us/article/43p7dm/software-chaff-bugs-could-make-it-more-secure

There is already a method to artificially embed bugs in the software under development, and the " bug embedding method " of software testing is already known. This is used to predict how many remaining bugs exist from the number (percentage) of artificial bugs discovered after debugging.

Doran-Gavit thought that the way to embed this artificial bug could be used for another purpose, and his friend told Mr. Doran Gavit: "Find a bug, whether it is a bug that can be exploited next It will take a lot of time before I can actually exploit it, "he said.

Doran Gabbitt said, "If you embed a lot of fake bugs that are indistinguishable from real bugs, hackers need to spend a tremendous amount of time just by investigating bugs, eventually giving up the attack It seems that sex will increase. " Therefore, the research team succeeded in embedding artificial bug which can not be abused in software actually developed on the scale of thousands of people, starting to develop software that embeds artificial bugs. Even if a large amount of bugs were intentionally embedded in order to enhance security, it was shown that the execution speed of the software did not become slower than necessary, and it was shown that practicality will not be impaired.

However, the research team stated that "scenes to which this technique can be applied are largely limited", he noted that there are issues. For example, open source software that many people can read source code does not have any effect because it can read the contents of the bug. Also, since the embedded fake bug actually needs to behave like an actual bug, such as crashing the software, it is necessary to perform the same operation as an actual bug, so it is not easy to stop or delay any mission critical system such as a financial institution or transportation system It is impossible to apply to. Even if you lower the service level, you need to lower the operation policy to the level of "Allowing the system down while running the service" and there are few software for such use.

Mr. Doran-Gavit says, "We believe that this idea is still worth the investigation, we would like to find new uses," and said that this technique will continue to investigate applicable software.