MIT System Fixes Software Bugs Without Access To Source Code 78
jan_jes writes: MIT researchers have presented a new system at the Association for Computing Machinery's Programming Language Design and Implementation conference that repairs software bugs by automatically importing functionality from other, more secure applications. According to MIT, "The system, dubbed CodePhage, doesn't require access to the source code of the applications. Instead, it analyzes the applications' execution and characterizes the types of security checks they perform. As a consequence, it can import checks from applications written in programming languages other than the one in which the program it's repairing was written."
Hmmm .... (Score:5, Insightful)
And to whom do you file the bug report again?
I can just imagine it now "Yeah, we run this cool thing called CodePhage which patched the software, but now it broke". They'll laugh at you and hang up.
This sounds like an automated system for mangling together random bits of software and hoping you still have something usable.
Sounds totally cool. Also sounds like complete fiction.
Re:Hmmm .... (Score:5, Insightful)
>>>> system finds that piece of code and automatically puts it together with whatever pieces of code you need to make your program work
>> sounds like complete fiction
I think we already do with with libraries and dependencies...just not at the executable level.
Re: (Score:3)
DLL Hell is a known problem and measures are usually taken to prevent breaking too much software in the wild.
This seems more like replacing a crying baby with one that looks about the same but doesn't cry as much, and saying "same thing".
Re:Hmmm .... (Score:5, Funny)
Re:Hmmm .... (Score:4, Funny)
>>>> system finds that piece of code and automatically puts it together with whatever pieces of code you need to make your program work
Hey! Why does my Windows 10 system boot up with a picture of a penguin?
Re: (Score:3)
Sounds totally cool. Also sounds like complete fiction.
I think you mean Phiction.
Re: (Score:2, Interesting)
Also: Versioning.
VERSIONING, VERSIONING, VERSIONING, VERSIONING...
What is your version number after this 'fix'? This seems like a nice way to fork off yet another forked fork of a forked codebase, except now we're forking binaries as well as sources.
Y'know those "Warranty Void If Removed" stickers they put on electronics? Y'know those painted tamper-proof screws they put in your Mac? They put those there to stop you fucking around inside the box, because you can easily fuck things up and they won't know how
Re: (Score:2)
Y'know those "Warranty Void If Removed" stickers they put on electronics? Y'know those painted tamper-proof screws they put in your Mac? They put those there to stop you fucking around inside the box, because you can easily fuck things up and they won't know how to fix it.
"tamper proof screws" if they are "tamper proof" then why can you get compatible screwdrivers from about 10,000 different places on the internet?
stickers don't actually "stop" anyone, the point is that you're on your own if you break the seal.
A binary file has an implied "Warranty Void If Removed" sticker on it.
so the warranty is void when I fire up my database and start storing data in it?
Re: (Score:2)
Funny thing is, those terms and stickers don't even always hold water.
There was a hilarious case a while back where some PC manufacturer lost a lawsuit where they had refused a warrantee repair. Basically the courts told them PC buyers expect to open the case so you can't refuse warantee service over an expected operating condition, but, they can require the customer to revert any changes they made before they qualify for service.
Didn't stop the proliferation of stickers of course, because they may not actu
Re: (Score:1)
Yea? Several programs I've written do exactly that. There are game dev platforms that can put everything, database included, inside the executable upon compiling.
Ever made a self-extracting .EXE file? If you did it on a piece of software with a database attached - THAT DATABASE IS STORED IN THE EXECUTABLE.
Re:Warranty (Score:1)
Re:Hmmm .... (Score:4)
The problem is that it gives a false sens of security. Your favorite bank can now fire those two last skilled people and get 10 more dumb indians (note: not all indians are dumb) to piss off shitty code. Just run their "CodePhage magic" and you still have a software full of holes (but a little less than if you didn't run it.)
The problem is just that now that you have fired those two people that knew what they were talking about, you're just clueless about what is going on.
Re: (Score:2)
Well it is from the MIT, it must be good right?
Re: (Score:3)
"TFS" (Score:3)
I was really confused, because of the context my brain immediately went to Team Foundation Server. I was like, "What? The Fucking Summary never mentioned TFS... oooooh, I see...."
Re: (Score:2)
In fact, you are correct. The article clams they don't have to have the source, but that is only partly true. The recipient, the program that has a bug, must have the source code. The donor, the program that does not suffer from the bug, does not need to have the source code. And this is perhaps the interesting part.
So, say you are creating an open source Office program, and you obviously need to open .doc files. You have mostly everything working, but now you have this one file that crashes your program, b
MIT System Makes Software Bugs Without Access (Score:1)
Excellent Now Translate (Score:3)
An excellent idea. On a very closely related thought this same sort of idea can be used to translate software so that what ran on older legacy platforms or incompatible platforms can automatically be able to run on newer hardware. Imagine you buy the latest greatest Cray SuperComputer Watch and it will run all your Android, Apple Watch, iPhone, MacOSX, Windows, Unix, DEC, Exidy, TRS-80, CPM and other software. Suddenly you can upgrade your hardware without the worry of losing access to your data. We need this in a big way.
Re: (Score:2)
No, there was no sarcasm. We need legacy support to move data forward.
Re: (Score:1)
Unfortunately, this doesn't fix those type of bugs, because they aren't bugs. It also cannot patch a program without the sourcecode, at least not by itself.
What you really want is to use one of these project that translate executable code into, say, c or c++, and from there you could try to do this, if it runs on those systems and can handle anything other than x86 code.
Re: (Score:1)
I think you mis-translated.
MIT and others have been working on self-healing software for decades. For example,
http://people.csail.mit.edu/st... [mit.edu]
http://www.livescience.com/589... [livescience.com]
Re: (Score:1)
Re: (Score:2)
There are already various emulators that do just that, and they are widely used for running legacy software on modern hardware.
Re: (Score:2)
Unfortunately not well.
Re: (Score:1)
Apparently since the mods have zero critical thinking ability, I'll just have to answer.
We have EMULATORS.
Transpilers are FUCKING WORTHLESS in the face of emulation.
Re: (Score:2)
And why do you reduce yourself to being insulting. Just because you fail to understand the need or the inadequacy of the existing translators is no reason for you to be rude. You need to learn to be polite in addition to realizing that you may not understand what other people need.
I do this all the time. (Score:2)
It is called a Rubber Band workaround.
Working with legacy systems without access to Source, however needs additional features. Intercept Pipes, data packets, or reports generated, then use its information to filter and add additional information.
It is a rubber band solution because it can break from a brand new unknown variable, and requires layers of fixes and workarounds to keep it running.
Re: (Score:1)
The article did mention checking to see if things were being done out of order, I would think this could be expanded toward race conditions.
Malware vector... (Score:3)
The NSA is going to love this one. If the Codephage can inject "clean" code, there's nothing that prevents it from being revamped to inject malicious code.
Alternatively, if your site needs a level of security where you need this type of "live" patching, you need a level of security that would prevent CodePhage from making the updates in the first place.
Sounds like it might be a useful test and bug detection tool, but not for live environments.
Re: (Score:3)
Alternatively, if your site needs a level of security where you need this type of "live" patching,
why is this only applicable in high security applications? why can't it be used to fix bugs in user interfaces?
Re: (Score:2)
why can't it be used to fix bugs in user interfaces?
True. It could inject a completely new UI into Window 8.
Sayonara Copy Protection and Key Checks!!! (Score:3, Insightful)
Re:Sayonara Copy Protection and Key Checks!!! (Score:5, Insightful)
Pirates already have versions with these bugs fixed, widely available from various torrent sites.
Re: (Score:2)
No one knows what it will do before just trying it.
and gosh it would never occur to anyone to make a backup first
Re: (Score:1)
OS/2 has it in somekind of way... (Score:2)
Since all the WPS where objects, you just grabbed the clock object (WPClock), and create a child from it, you can incorporate more functionality, or remove the functionality that you didn't like. So on OS/2 you disabled the parent WPClock object and tell that
Bugs magically disappear when I am called (Score:2)
Re: (Score:2)
so you are still falling for the same practical joke after all these years?
Re: (Score:2)
Ah the levels a developer will stoop to save face!
User is skipping a step (Score:2)
The user is slowing down and doing it right when you're there. When you're elsewhere, they do it fast and they do it wrong. Tell them to slow down, close the case
Re: (Score:2)
C is a powerful language. I shouldn't have to give up that power because some other schmoe doesn't know how to handle it safely. Come the think of it, that applies to a lot of things.
I'm not sure I'd want this (Score:2)
If you're automatically taking code from a more secure application and injecting it into a "stable" application, that' alters the stable application and invalidates any testing that's been performed. Sure, the intention is fixing a "bug" or a vulnerability but you're changing application behavior potentially and creating a bigger set of problems. From a purely academic sense it's definitely intriguing but I don't think I'd want anything I'm supposed to be supporting leveraging this as a catch-all.
You want this thing do what to my binaries? (Score:1)
So, DIODE is really cool. It looks like it does the same thing you'd do with IDA and a fuzzer. It only finds integer overflows, but still really cool. CodePhage just reads like a giant ball of WTF
whos applications are imported? (Score:2)
So, without having read TFA of course (Score:2)
This is like a virtual machine for all instances of strcmp?
This is already a thing, DARPA has a competition (Score:1)
So, there are already computers that can automatically find vulnerabilities and patch them (and exploit them).
https://cgc.darpa.mil/ [darpa.mil]
http://www.cybergrandchallenge... [cybergrandchallenge.com]
Re: (Score:2)
END OF LINE.
Run it on itself??? (Score:1)
What happens when you run it against itself over and over?
Or is this the first non-trivial bug-free piece of software ever written?
Everything old is new again? (Score:2)
Things like this have been done since... the start of computing? I remember patches like this were done on 8 bitters (c64, cpc, ...) and later 16 bitters (amiga, atari, pc, ...). For games they came in the form of cheatmodes or to enable piracy.
Amazing! (Score:1)