Application Security
12/9/2013
12:25 PM
50%
50%

DARPA Crowdsources Bug-Spotting Games

DARPA debuts five different puzzle games to test whether players can spot mathematical flaws in open-source code used by the Defense Department.

10 Cool DARPA Projects In Development
10 Cool DARPA Projects In Development
(click image for larger view)

Want to keep the Department of Defense's computers secure? Then play a game.

That's the pitch from Defense Advanced Research Projects Agency (DARPA), which is testing whether free online games can be used to help spot code flaws. "We're seeing if we can take really hard math problems and map them onto interesting, attractive puzzle games that online players will solve for fun," DARPA program manager Drew Dean said in a statement. "By leveraging players' intelligence and ingenuity on a broad scale, we hope to reduce security analysts' workloads and fundamentally improve the availability of formal verification."

The effort -- dubbed the Crowd Sourced Formal Verification (CSFV) program -- is initially offering five different game titles, all of which are playable via a dedicated Verigames.com portal. The games aren't first-person shooters or action-adventure games, but rather puzzle games that contain mathematical models. "Solving the games provides mathematical proofs that can verify the absence of flaws or bugs," reads the Verigames site FAQ.

[Another DARPA initiative, the Cyber Grand Challenge, aims to close the gap between vulnerability discovery and remediation. Read DARPA Cyber Defense Challenge: $2 Million Prize.]

To date, CSFV is focusing only on applications written in the C and Java programming languages. DARPA said that if any potential bugs are spotted, the agency will notify whichever organization is responsible for maintaining the code.

The five CSFV games developed to date were created using TopCoder, which is a community of about 600,000 software developers, designers, and mathematicians. Via the Verigames website, here's an overview of the five games being offered:

  • CircuitBot: "Link up a team of robots to carry out a mission."
  • Flow Jam: "Analyze and adjust a cable network to maximize its flow."
  • Ghost Map: "Free your mind by finding a path through a brain network."
  • StormBound: "Unweave the windstorm into patterns of streaming symbols."
  • Xylem: "Catalog species of plants using mathematical formulas."

This isn't the first attempt at harnessing crowds to solve public problems or computing challenges. One of the best-known examples remains the SETI@home -- for "search for extraterrestrial intelligence" -- project, launched in May 1999, which is run by the University of California at Berkeley. The project taps volunteers' PCs to analyze data feeds from radio telescopes, and it eventually spawned Berkeley Open Infrastructure for Network Computing (BOINC), an open-source middleware system that today counts about 3 million volunteers. It's currently being used for more than 80 projects, ranging from climate prediction and earthquake spotting to drug testing and searching for new neutron stars.

The CSFV project, however, does appear to be the first time that someone is marrying crowdsourcing with code review, and there are plenty of potential bugs to be found. That's because even when organizations have secure coding practices in place, every thousand lines of code contains, on average, between one and five coding flaws, according to DARPA. Any one of those code flaws could pose a risk to the integrity or availability of government -- and especially military -- systems.

Furthermore, existing code-review practices tend to be costly, especially for applications that haven't been developed in-house. As a result, important code too often doesn't get reviewed for errors. "Unfortunately, traditional formal verification methods do not scale to the size of software found in modern computer systems. Formal verification also currently requires highly specialized engineers with deep knowledge of software technology and mathematical theorem-proving techniques," according to DARPA's CSFV project overview. "These constraints make current formal verification techniques expensive and time-consuming, which in turn make them impractical to apply to COTS [common of-the-shelf] software."

If there's one potential downside to DARPA's gaming approach, however, it's that there's a minimum-age limit: All players must attest to being at least 18 years old. "Government regulations require adult volunteer participants for this DARPA research program," reads the Verigames site.

Advanced persistent threats are evolving in motivation, malice and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted "intelligence gathering." Enterprises need to be on guard, too. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
12/9/2013 | 6:15:39 PM
DARPA's Push Into Software
It's interesting to see, as the wind-down of the war and sequestration are pinching military hardware budgets, that DARPA is increasingly exploring innovations to virtual problems.  As you may have seen elsewhere, DARPA is planning it's latest Grand Challenge contest, not on autonomously run vehicles, but authonomously healing networks.  (See: DARPA Cyber Defense Challenge: $2 Million Prize)
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
12/9/2013 | 2:54:09 PM
For a good cause, at least
Since we all benefit from improved computer security, this is probably one of the more ethical uses of crowdsourced labor.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7241
Published: 2014-12-19
The TSUTAYA application 5.3 and earlier for Android allows remote attackers to execute arbitrary Java methods via a crafted HTML document.

CVE-2014-7249
Published: 2014-12-19
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 992...

CVE-2014-7267
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the output-page generator in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7268.

CVE-2014-7268
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the data-export feature in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7267.

CVE-2014-8272
Published: 2014-12-19
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.