Application Security
12/9/2013
12:25 PM
Connect Directly
RSS
E-Mail
50%
50%

DARPA Crowdsources Bug-Spotting Games

DARPA debuts five different puzzle games to test whether players can spot mathematical flaws in open-source code used by the Defense Department.

10 Cool DARPA Projects In Development
10 Cool DARPA Projects In Development
(click image for larger view)

Want to keep the Department of Defense's computers secure? Then play a game.

That's the pitch from Defense Advanced Research Projects Agency (DARPA), which is testing whether free online games can be used to help spot code flaws. "We're seeing if we can take really hard math problems and map them onto interesting, attractive puzzle games that online players will solve for fun," DARPA program manager Drew Dean said in a statement. "By leveraging players' intelligence and ingenuity on a broad scale, we hope to reduce security analysts' workloads and fundamentally improve the availability of formal verification."

The effort -- dubbed the Crowd Sourced Formal Verification (CSFV) program -- is initially offering five different game titles, all of which are playable via a dedicated Verigames.com portal. The games aren't first-person shooters or action-adventure games, but rather puzzle games that contain mathematical models. "Solving the games provides mathematical proofs that can verify the absence of flaws or bugs," reads the Verigames site FAQ.

[Another DARPA initiative, the Cyber Grand Challenge, aims to close the gap between vulnerability discovery and remediation. Read DARPA Cyber Defense Challenge: $2 Million Prize.]

To date, CSFV is focusing only on applications written in the C and Java programming languages. DARPA said that if any potential bugs are spotted, the agency will notify whichever organization is responsible for maintaining the code.

The five CSFV games developed to date were created using TopCoder, which is a community of about 600,000 software developers, designers, and mathematicians. Via the Verigames website, here's an overview of the five games being offered:

  • CircuitBot: "Link up a team of robots to carry out a mission."
  • Flow Jam: "Analyze and adjust a cable network to maximize its flow."
  • Ghost Map: "Free your mind by finding a path through a brain network."
  • StormBound: "Unweave the windstorm into patterns of streaming symbols."
  • Xylem: "Catalog species of plants using mathematical formulas."

This isn't the first attempt at harnessing crowds to solve public problems or computing challenges. One of the best-known examples remains the SETI@home -- for "search for extraterrestrial intelligence" -- project, launched in May 1999, which is run by the University of California at Berkeley. The project taps volunteers' PCs to analyze data feeds from radio telescopes, and it eventually spawned Berkeley Open Infrastructure for Network Computing (BOINC), an open-source middleware system that today counts about 3 million volunteers. It's currently being used for more than 80 projects, ranging from climate prediction and earthquake spotting to drug testing and searching for new neutron stars.

The CSFV project, however, does appear to be the first time that someone is marrying crowdsourcing with code review, and there are plenty of potential bugs to be found. That's because even when organizations have secure coding practices in place, every thousand lines of code contains, on average, between one and five coding flaws, according to DARPA. Any one of those code flaws could pose a risk to the integrity or availability of government -- and especially military -- systems.

Furthermore, existing code-review practices tend to be costly, especially for applications that haven't been developed in-house. As a result, important code too often doesn't get reviewed for errors. "Unfortunately, traditional formal verification methods do not scale to the size of software found in modern computer systems. Formal verification also currently requires highly specialized engineers with deep knowledge of software technology and mathematical theorem-proving techniques," according to DARPA's CSFV project overview. "These constraints make current formal verification techniques expensive and time-consuming, which in turn make them impractical to apply to COTS [common of-the-shelf] software."

If there's one potential downside to DARPA's gaming approach, however, it's that there's a minimum-age limit: All players must attest to being at least 18 years old. "Government regulations require adult volunteer participants for this DARPA research program," reads the Verigames site.

Advanced persistent threats are evolving in motivation, malice and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted "intelligence gathering." Enterprises need to be on guard, too. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Apprentice
12/9/2013 | 6:15:39 PM
DARPA's Push Into Software
It's interesting to see, as the wind-down of the war and sequestration are pinching military hardware budgets, that DARPA is increasingly exploring innovations to virtual problems.  As you may have seen elsewhere, DARPA is planning it's latest Grand Challenge contest, not on autonomously run vehicles, but authonomously healing networks.  (See: DARPA Cyber Defense Challenge: $2 Million Prize)
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
12/9/2013 | 2:54:09 PM
For a good cause, at least
Since we all benefit from improved computer security, this is probably one of the more ethical uses of crowdsourced labor.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0993
Published: 2014-09-15
Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file.

CVE-2014-2375
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature.

CVE-2014-2376
Published: 2014-09-15
SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2377
Published: 2014-09-15
Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag.

CVE-2014-3077
Published: 2014-09-15
IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
CISO Insider: An Interview with James Christiansen, Vice President, Information Risk Management, Office of the CISO, Accuvant