What is a chaff bug? How adding bugs to apps may make them more secure

Researchers at NYU have developed a technique to add inert bugs in code to deter hackers. But could it work in reality?

security bug

Cyber criminals prefer the path of least resistance. They want quick and easy access to your systems, and if they can’t find it they’ll move on to a more vulnerable target. So, what if there was a way to make your applications so time-consuming to exploit that it’s just not worth the effort?

In a new research paper, Chaff Bugs: Deterring Attackers by Making Software Buggier, Brendan Dolan-Gavitt, assistant professor of computer science at the NYU Tandon School of Engineering, and two PhD students, Zhenghao Hu and Yu Hu, suggest a new method of intentionally adding software bugs into code in order to deter attackers. Dubbed “chaff bugs,” the idea is to pack applications with seemingly legitimate-looking but ultimately unexploitable bugs that outnumber and obscure real vulnerabilities.

“I have friends who do exploit development professionally, and one thing they emphasize is how difficult it is to go from discovering a bug to creating a working exploit for it,” says Brendan Dolan-Gavitt. “So, we thought that this was something we could take advantage of by creating thousands of non-exploitable bugs.”

Will making software buggier deter criminals?

There will always be legitimate bugs and vulnerabilities within code despite the best efforts of developers and security teams. With chaff bugs, instead of finding a genuine flaw, attackers will discover one of the intentionally placed, non-exploitable bugs and waste their resources trying to build a working exploit. After repeatedly finding dead-ends, the hope is the attacks will give up and move on. The aim, as the paper describes it, is to “drown attackers in a sea of enticing-looking but ultimately non- exploitable bugs”.

To continue reading this article register now

Make your voice heard. Share your experience in CSO's Security Priorities Study.