Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Bug AI Programming Software Technology

MIT System Fixes Software Bugs Without Access To Source Code 78

jan_jes writes: MIT researchers have presented a new system at the Association for Computing Machinery's Programming Language Design and Implementation conference that repairs software bugs by automatically importing functionality from other, more secure applications. According to MIT, "The system, dubbed CodePhage, doesn't require access to the source code of the applications. Instead, it analyzes the applications' execution and characterizes the types of security checks they perform. As a consequence, it can import checks from applications written in programming languages other than the one in which the program it's repairing was written."
This discussion has been archived. No new comments can be posted.

MIT System Fixes Software Bugs Without Access To Source Code

Comments Filter:
  • Hmmm .... (Score:5, Insightful)

    by gstoddart ( 321705 ) on Monday June 29, 2015 @11:34AM (#50012393) Homepage

    And to whom do you file the bug report again?

    I can just imagine it now "Yeah, we run this cool thing called CodePhage which patched the software, but now it broke". They'll laugh at you and hang up.

    This sounds like an automated system for mangling together random bits of software and hoping you still have something usable.

    "The longer-term vision is that you never have to write a piece of code that somebody else has written before," Rinard says. "The system finds that piece of code and automatically puts it together with whatever pieces of code you need to make your program work."

    Sounds totally cool. Also sounds like complete fiction.

    • Re:Hmmm .... (Score:5, Insightful)

      by xxxJonBoyxxx ( 565205 ) on Monday June 29, 2015 @11:37AM (#50012419)

      >>>> system finds that piece of code and automatically puts it together with whatever pieces of code you need to make your program work
      >> sounds like complete fiction
      I think we already do with with libraries and dependencies...just not at the executable level.

    • Sounds totally cool. Also sounds like complete fiction.

      I think you mean Phiction.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Also: Versioning.

      VERSIONING, VERSIONING, VERSIONING, VERSIONING...

      What is your version number after this 'fix'? This seems like a nice way to fork off yet another forked fork of a forked codebase, except now we're forking binaries as well as sources.

      Y'know those "Warranty Void If Removed" stickers they put on electronics? Y'know those painted tamper-proof screws they put in your Mac? They put those there to stop you fucking around inside the box, because you can easily fuck things up and they won't know how

      • Y'know those "Warranty Void If Removed" stickers they put on electronics? Y'know those painted tamper-proof screws they put in your Mac? They put those there to stop you fucking around inside the box, because you can easily fuck things up and they won't know how to fix it.

        "tamper proof screws" if they are "tamper proof" then why can you get compatible screwdrivers from about 10,000 different places on the internet?

        stickers don't actually "stop" anyone, the point is that you're on your own if you break the seal.

        A binary file has an implied "Warranty Void If Removed" sticker on it.

        so the warranty is void when I fire up my database and start storing data in it?

        • by TheCarp ( 96830 )

          Funny thing is, those terms and stickers don't even always hold water.

          There was a hilarious case a while back where some PC manufacturer lost a lawsuit where they had refused a warrantee repair. Basically the courts told them PC buyers expect to open the case so you can't refuse warantee service over an expected operating condition, but, they can require the customer to revert any changes they made before they qualify for service.

          Didn't stop the proliferation of stickers of course, because they may not actu

      • It has been my experience that software comes with a EULA that says there is no warranty.
    • by Pieroxy ( 222434 ) on Monday June 29, 2015 @12:11PM (#50012689) Homepage

      The problem is that it gives a false sens of security. Your favorite bank can now fire those two last skilled people and get 10 more dumb indians (note: not all indians are dumb) to piss off shitty code. Just run their "CodePhage magic" and you still have a software full of holes (but a little less than if you didn't run it.)

      The problem is just that now that you have fired those two people that knew what they were talking about, you're just clueless about what is going on.

    • Well it is from the MIT, it must be good right?

    • What about this system detecting I have a bug and then replacing my secure, working software module with a new unknown exploit? Or even a known exploit ala Nation-State?
  • .... It causes software bugs by automatically importing malware functionality from other, less secure applications.
  • by pubwvj ( 1045960 ) on Monday June 29, 2015 @11:35AM (#50012405)

    An excellent idea. On a very closely related thought this same sort of idea can be used to translate software so that what ran on older legacy platforms or incompatible platforms can automatically be able to run on newer hardware. Imagine you buy the latest greatest Cray SuperComputer Watch and it will run all your Android, Apple Watch, iPhone, MacOSX, Windows, Unix, DEC, Exidy, TRS-80, CPM and other software. Suddenly you can upgrade your hardware without the worry of losing access to your data. We need this in a big way.

    • by Anonymous Coward

      I think you mis-translated.

      MIT and others have been working on self-healing software for decades. For example,

      http://people.csail.mit.edu/st... [mit.edu]

      http://www.livescience.com/589... [livescience.com]

    • I agree. When OSS goes out of service on legacy systems which are still used in production, this could provide a way to substitute blocks of code for the more secure code path. It looks like legacy security may have been the prime motivation. In these systems you're not calling a help desk due to their age and typically these environments have qualification test that could be employed for sanity checking the setup. If the assumptions I made are correct, the larger question is if the physical security of
    • by Bert64 ( 520050 )

      There are already various emulators that do just that, and they are widely used for running legacy software on modern hardware.

  • It is called a Rubber Band workaround.
    Working with legacy systems without access to Source, however needs additional features. Intercept Pipes, data packets, or reports generated, then use its information to filter and add additional information.

    It is a rubber band solution because it can break from a brand new unknown variable, and requires layers of fixes and workarounds to keep it running.

  • by bwcbwc ( 601780 ) on Monday June 29, 2015 @12:07PM (#50012661)

    The NSA is going to love this one. If the Codephage can inject "clean" code, there's nothing that prevents it from being revamped to inject malicious code.

    Alternatively, if your site needs a level of security where you need this type of "live" patching, you need a level of security that would prevent CodePhage from making the updates in the first place.

    Sounds like it might be a useful test and bug detection tool, but not for live environments.

    • Alternatively, if your site needs a level of security where you need this type of "live" patching,

      why is this only applicable in high security applications? why can't it be used to fix bugs in user interfaces?

      • by 0123456 ( 636235 )

        why can't it be used to fix bugs in user interfaces?

        True. It could inject a completely new UI into Window 8.

  • by neversleepy ( 3525847 ) on Monday June 29, 2015 @12:08PM (#50012665)
    Woo hoo. Finally I can treat the copy protection and CONSTANT recurring key checks as bugs in the software I have paid for!
  • OS/2 at being some modular and object oriented allowed you to fix some bugs on the Workplace Shell (Desktop Interface) (WPS) without access to the source code of it. The trick of OS/2 is that it uses SOM in the middle between the GUI and the Desktop [edm2.com].

    Since all the WPS where objects, you just grabbed the clock object (WPClock), and create a child from it, you can incorporate more functionality, or remove the functionality that you didn't like. So on OS/2 you disabled the parent WPClock object and tell that
  • A user calls and says they have a problem with program x so they call me. When they get there, they cannot reproduce the bug. We assume that the software know that it is whipped once I come into the picture so it fixes itself. You would not believe how many times this has happened over 30+ years.
  • If you're automatically taking code from a more secure application and injecting it into a "stable" application, that' alters the stable application and invalidates any testing that's been performed. Sure, the intention is fixing a "bug" or a vulnerability but you're changing application behavior potentially and creating a bigger set of problems. From a purely academic sense it's definitely intriguing but I don't think I'd want anything I'm supposed to be supporting leveraging this as a catch-all.

  • So, DIODE is really cool. It looks like it does the same thing you'd do with IDA and a fuzzer. It only finds integer overflows, but still really cool. CodePhage just reads like a giant ball of WTF

  • With so much copyright rhetoric going around I can't help but to think this will come back and bite someone bad.
  • This is like a virtual machine for all instances of strcmp?

  • So, there are already computers that can automatically find vulnerabilities and patch them (and exploit them).

    https://cgc.darpa.mil/ [darpa.mil]
    http://www.cybergrandchallenge... [cybergrandchallenge.com]

  • What happens when you run it against itself over and over?

    Or is this the first non-trivial bug-free piece of software ever written?

  • Things like this have been done since... the start of computing? I remember patches like this were done on 8 bitters (c64, cpc, ...) and later 16 bitters (amiga, atari, pc, ...). For games they came in the form of cheatmodes or to enable piracy.

  • Wow! This is awesome! I am sure Adobe will pass the savings onto the customer!

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...