Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

DARPA Crowdsources Bug-Spotting Games

DARPA debuts five different puzzle games to test whether players can spot mathematical flaws in open-source code used by the Defense Department.

10 Cool DARPA Projects In Development
10 Cool DARPA Projects In Development
(click image for larger view)

Want to keep the Department of Defense's computers secure? Then play a game.

That's the pitch from Defense Advanced Research Projects Agency (DARPA), which is testing whether free online games can be used to help spot code flaws. "We're seeing if we can take really hard math problems and map them onto interesting, attractive puzzle games that online players will solve for fun," DARPA program manager Drew Dean said in a statement. "By leveraging players' intelligence and ingenuity on a broad scale, we hope to reduce security analysts' workloads and fundamentally improve the availability of formal verification."

The effort -- dubbed the Crowd Sourced Formal Verification (CSFV) program -- is initially offering five different game titles, all of which are playable via a dedicated Verigames.com portal. The games aren't first-person shooters or action-adventure games, but rather puzzle games that contain mathematical models. "Solving the games provides mathematical proofs that can verify the absence of flaws or bugs," reads the Verigames site FAQ.

[Another DARPA initiative, the Cyber Grand Challenge, aims to close the gap between vulnerability discovery and remediation. Read DARPA Cyber Defense Challenge: $2 Million Prize.]

To date, CSFV is focusing only on applications written in the C and Java programming languages. DARPA said that if any potential bugs are spotted, the agency will notify whichever organization is responsible for maintaining the code.

The five CSFV games developed to date were created using TopCoder, which is a community of about 600,000 software developers, designers, and mathematicians. Via the Verigames website, here's an overview of the five games being offered:

  • CircuitBot: "Link up a team of robots to carry out a mission."
  • Flow Jam: "Analyze and adjust a cable network to maximize its flow."
  • Ghost Map: "Free your mind by finding a path through a brain network."
  • StormBound: "Unweave the windstorm into patterns of streaming symbols."
  • Xylem: "Catalog species of plants using mathematical formulas."

This isn't the first attempt at harnessing crowds to solve public problems or computing challenges. One of the best-known examples remains the [email protected] -- for "search for extraterrestrial intelligence" -- project, launched in May 1999, which is run by the University of California at Berkeley. The project taps volunteers' PCs to analyze data feeds from radio telescopes, and it eventually spawned Berkeley Open Infrastructure for Network Computing (BOINC), an open-source middleware system that today counts about 3 million volunteers. It's currently being used for more than 80 projects, ranging from climate prediction and earthquake spotting to drug testing and searching for new neutron stars.

The CSFV project, however, does appear to be the first time that someone is marrying crowdsourcing with code review, and there are plenty of potential bugs to be found. That's because even when organizations have secure coding practices in place, every thousand lines of code contains, on average, between one and five coding flaws, according to DARPA. Any one of those code flaws could pose a risk to the integrity or availability of government -- and especially military -- systems.

Furthermore, existing code-review practices tend to be costly, especially for applications that haven't been developed in-house. As a result, important code too often doesn't get reviewed for errors. "Unfortunately, traditional formal verification methods do not scale to the size of software found in modern computer systems. Formal verification also currently requires highly specialized engineers with deep knowledge of software technology and mathematical theorem-proving techniques," according to DARPA's CSFV project overview. "These constraints make current formal verification techniques expensive and time-consuming, which in turn make them impractical to apply to COTS [common of-the-shelf] software."

If there's one potential downside to DARPA's gaming approach, however, it's that there's a minimum-age limit: All players must attest to being at least 18 years old. "Government regulations require adult volunteer participants for this DARPA research program," reads the Verigames site.

Advanced persistent threats are evolving in motivation, malice and sophistication. Are you ready to stop the madness? Also in the new, all-digital The Changing Face Of APTs issue of Dark Reading: Governments aren't the only victims of targeted "intelligence gathering." Enterprises need to be on guard, too. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/9/2013 | 6:15:39 PM
DARPA's Push Into Software
It's interesting to see, as the wind-down of the war and sequestration are pinching military hardware budgets, that DARPA is increasingly exploring innovations to virtual problems.  As you may have seen elsewhere, DARPA is planning it's latest Grand Challenge contest, not on autonomously run vehicles, but authonomously healing networks.  (See: DARPA Cyber Defense Challenge: $2 Million Prize)
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
12/9/2013 | 2:54:09 PM
For a good cause, at least
Since we all benefit from improved computer security, this is probably one of the more ethical uses of crowdsourced labor.
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-21
An issue was discovered in Contactmanager 13.x before, 14.x before, and 15.x before for FreePBX In the Contactmanager class (html\admin\modules\contactmanager\Contactmanager.class.php), an unsanitized group variable coming from the URL is reflected in HTML on...
PUBLISHED: 2019-10-21
Trend Micro Anti-Threat Toolkit (ATTK) versions and below have a vulnerability that may allow an attacker to place malicious files in the same directory, potentially leading to arbitrary remote code execution (RCE) when executed.
PUBLISHED: 2019-10-21
app/call_centers/cmd.php in the Call Center Queue Module in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated attackers (with at least the permission call_center_queue_add or call_center_queue_edit) to execute any comma...
PUBLISHED: 2019-10-21
resources/cmd.php in FusionPBX up to 4.5.7 suffers from a command injection vulnerability due to a lack of input validation, which allows authenticated administrative attackers to execute any commands on the host as www-data.
PUBLISHED: 2019-10-21
On the RICOH MP 501 printer, HTML Injection and Stored XSS vulnerabilities have been discovered in the area of adding addresses via the entryNameIn and KeyDisplay parameter to /web/entry/en/address/adrsSetUserWizard.cgi.