Application Security
12/9/2013
12:25 PM
50%
50%

DARPA Crowdsources Bug-Spotting Games

DARPA debuts five different puzzle games to test whether players can spot mathematical flaws in open-source code used by the Defense Department.

10 Cool DARPA Projects In Development
10 Cool DARPA Projects In Development
(click image for larger view)

Want to keep the Department of Defense's computers secure? Then play a game.

That's the pitch from Defense Advanced Research Projects Agency (DARPA), which is testing whether free online games can be used to help spot code flaws. "We're seeing if we can take really hard math problems and map them onto interesting, attractive puzzle games that online players will solve for fun," DARPA program manager Drew Dean said in a statement. "By leveraging players' intelligence and ingenuity on a broad scale, we hope to reduce security analysts' workloads and fundamentally improve the availability of formal verification."

The effort -- dubbed the Crowd Sourced Formal Verification (CSFV) program -- is initially offering five different game titles, all of which are playable via a dedicated Verigames.com portal. The games aren't first-person shooters or action-adventure games, but rather puzzle games that contain mathematical models. "Solving the games provides mathematical proofs that can verify the absence of flaws or bugs," reads the Verigames site FAQ.

[Another DARPA initiative, the Cyber Grand Challenge, aims to close the gap between vulnerability discovery and remediation. Read DARPA Cyber Defense Challenge: $2 Million Prize.]

To date, CSFV is focusing only on applications written in the C and Java programming languages. DARPA said that if any potential bugs are spotted, the agency will notify whichever organization is responsible for maintaining the code.

The five CSFV games developed to date were created using TopCoder, which is a community of about 600,000 software developers, designers, and mathematicians. Via the Verigames website, here's an overview of the five games being offered:

  • CircuitBot: "Link up a team of robots to carry out a mission."
  • Flow Jam: "Analyze and adjust a cable network to maximize its flow."
  • Ghost Map: "Free your mind by finding a path through a brain network."
  • StormBound: "Unweave the windstorm into patterns of streaming symbols."
  • Xylem: "Catalog species of plants using mathematical formulas."

This isn't the first attempt at harnessing crowds to solve public problems or computing challenges. One of the best-known examples remains the [email protected] -- for "search for extraterrestrial intelligence" -- project, launched in May 1999, which is run by the University of California at Berkeley. The project taps volunteers' PCs to analyze data feeds from radio telescopes, and it eventually spawned Berkeley Open Infrastructure for Network Computing (BOINC), an open-source middleware system that today counts about 3 million volunteers. It's currently being used for more than 80 projects, ranging from climate prediction and earthquake spotting to drug testing and searching for new neutron stars.

The CSFV project, however, does appear to be the first time that someone is marrying crowdsourcing with code review, and there are plenty of potential bugs to be found. That's because even when organizations have secure coding practices in place, every thousand lines of code contains, on average, between one and five coding flaws, according to DARPA. Any one of those code flaws could pose a risk to the integrity or availability of government -- and especially military -- systems.

Furthermore, existing code-review practices tend to be costly, especially for applications that haven't been developed in-house. As a result, important code too often doesn't get reviewed for errors. "Unfortunately, traditional formal verification methods do not scale to the size of software found in modern computer systems. Formal verification also currently requires highly specialized engineers with deep knowledge of software technology and mathematical theorem-proving techniques," according to DARPA's CSFV project overview. "These constraints make current formal verification techniques expensive and time-consuming, which in turn make them impractical to apply to COTS [common of-the-shelf] software."

If there's one potential downside to DARPA's gaming approach, however, it's that there's a minimum-age limit: All players must attest to being at least 18 years old. "Government regulations require adult volunteer participants for this DARPA research program," reads the Verigames site.

Advanced persistent threats are evolving in motivation, malice and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted "intelligence gathering." Enterprises need to be on guard, too. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
12/9/2013 | 6:15:39 PM
DARPA's Push Into Software
It's interesting to see, as the wind-down of the war and sequestration are pinching military hardware budgets, that DARPA is increasingly exploring innovations to virtual problems.  As you may have seen elsewhere, DARPA is planning it's latest Grand Challenge contest, not on autonomously run vehicles, but authonomously healing networks.  (See: DARPA Cyber Defense Challenge: $2 Million Prize)
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
12/9/2013 | 2:54:09 PM
For a good cause, at least
Since we all benefit from improved computer security, this is probably one of the more ethical uses of crowdsourced labor.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.