DARPA Crowdsources Bug-Spotting GamesDARPA debuts five different puzzle games to test whether players can spot mathematical flaws in open-source code used by the Defense Department.
10 Cool DARPA Projects In Development
(click image for larger view)
Want to keep the Department of Defense's computers secure? Then play a game.
That's the pitch from Defense Advanced Research Projects Agency (DARPA), which is testing whether free online games can be used to help spot code flaws. "We're seeing if we can take really hard math problems and map them onto interesting, attractive puzzle games that online players will solve for fun," DARPA program manager Drew Dean said in a statement. "By leveraging players' intelligence and ingenuity on a broad scale, we hope to reduce security analysts' workloads and fundamentally improve the availability of formal verification."
The effort -- dubbed the Crowd Sourced Formal Verification (CSFV) program -- is initially offering five different game titles, all of which are playable via a dedicated Verigames.com portal. The games aren't first-person shooters or action-adventure games, but rather puzzle games that contain mathematical models. "Solving the games provides mathematical proofs that can verify the absence of flaws or bugs," reads the Verigames site FAQ.
[Another DARPA initiative, the Cyber Grand Challenge, aims to close the gap between vulnerability discovery and remediation. Read DARPA Cyber Defense Challenge: $2 Million Prize.]
To date, CSFV is focusing only on applications written in the C and Java programming languages. DARPA said that if any potential bugs are spotted, the agency will notify whichever organization is responsible for maintaining the code.
The five CSFV games developed to date were created using TopCoder, which is a community of about 600,000 software developers, designers, and mathematicians. Via the Verigames website, here's an overview of the five games being offered:
- CircuitBot: "Link up a team of robots to carry out a mission."
- Flow Jam: "Analyze and adjust a cable network to maximize its flow."
- Ghost Map: "Free your mind by finding a path through a brain network."
- StormBound: "Unweave the windstorm into patterns of streaming symbols."
- Xylem: "Catalog species of plants using mathematical formulas."
This isn't the first attempt at harnessing crowds to solve public problems or computing challenges. One of the best-known examples remains the SETI@home -- for "search for extraterrestrial intelligence" -- project, launched in May 1999, which is run by the University of California at Berkeley. The project taps volunteers' PCs to analyze data feeds from radio telescopes, and it eventually spawned Berkeley Open Infrastructure for Network Computing (BOINC), an open-source middleware system that today counts about 3 million volunteers. It's currently being used for more than 80 projects, ranging from climate prediction and earthquake spotting to drug testing and searching for new neutron stars.
The CSFV project, however, does appear to be the first time that someone is marrying crowdsourcing with code review, and there are plenty of potential bugs to be found. That's because even when organizations have secure coding practices in place, every thousand lines of code contains, on average, between one and five coding flaws, according to DARPA. Any one of those code flaws could pose a risk to the integrity or availability of government -- and especially military -- systems.
Furthermore, existing code-review practices tend to be costly, especially for applications that haven't been developed in-house. As a result, important code too often doesn't get reviewed for errors. "Unfortunately, traditional formal verification methods do not scale to the size of software found in modern computer systems. Formal verification also currently requires highly specialized engineers with deep knowledge of software technology and mathematical theorem-proving techniques," according to DARPA's CSFV project overview. "These constraints make current formal verification techniques expensive and time-consuming, which in turn make them impractical to apply to COTS [common of-the-shelf] software."
If there's one potential downside to DARPA's gaming approach, however, it's that there's a minimum-age limit: All players must attest to being at least 18 years old. "Government regulations require adult volunteer participants for this DARPA research program," reads the Verigames site.
Advanced persistent threats are evolving in motivation, malice and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted "intelligence gathering." Enterprises need to be on guard, too. (Free registration required.)