Can The Mayhem AI Automate Bug-Patching? (technologyreview.com) 23
"Now when a machine is compromised it takes days or weeks for someone to notice and then days or weeks -- or never -- until a patch is put out," says Carnegie Mellon professor David Brumley. "Imagine a world where the first time a hacker exploits a vulnerability he can only exploit one machine and then it's patched." An anonymous reader quotes MIT Technology Review:
Last summer the Pentagon staged a contest in Las Vegas in which high-powered computers spent 12 hours trying to hack one another in pursuit of a $2 million purse. Now Mayhem, the software that won, is beginning to put its hacking skills to work in the real world... Teams entered software that had to patch and protect a collection of server software, while also identifying and exploiting vulnerabilities in the programs under the stewardship of its competitors... ForAllSecure, cofounded by Carnegie Mellon professor David Brumley and two of his PhD students, has started adapting Mayhem to be able to automatically find and patch flaws in certain kinds of commercial software, including that of Internet devices such as routers.
Tests are underway with undisclosed partners, including an Internet device manufacturer, to see if Mayhem can help companies identify and fix vulnerabilities in their products more quickly and comprehensively. The focus is on addressing the challenge of companies needing to devote considerable resources to supporting years of past products with security updates... Last year, Brumley published results from feeding almost 2,000 router firmware images through some of the techniques that powered Mayhem. Over 40%, representing 89 different products, had at least one vulnerability. The software found 14 previously undiscovered vulnerabilities affecting 69 different software builds. ForAllSecure is also working with the Department of Defense on ideas for how to put Mayhem to real world use finding and fixing vulnerabilities.
Tests are underway with undisclosed partners, including an Internet device manufacturer, to see if Mayhem can help companies identify and fix vulnerabilities in their products more quickly and comprehensively. The focus is on addressing the challenge of companies needing to devote considerable resources to supporting years of past products with security updates... Last year, Brumley published results from feeding almost 2,000 router firmware images through some of the techniques that powered Mayhem. Over 40%, representing 89 different products, had at least one vulnerability. The software found 14 previously undiscovered vulnerabilities affecting 69 different software builds. ForAllSecure is also working with the Department of Defense on ideas for how to put Mayhem to real world use finding and fixing vulnerabilities.
Imagine (Score:5, Insightful)
No robots ain't patching my servers, not nohow, no siree!
Re: (Score:1)
borg.node.mongo.js
Re: (Score:1)
I tried to run that, it claims that "left-pad" is missing and aborts.
Re: (Score:1)
Just plug in a replacement function found randomly on the Web. Russia and Nigeria often publish such if you search less-known areas of the wonderful Internet.
Re: (Score:2)
Didn't you hear ?:
The Late Show with Stephen Colbert - Bacon Shortage Could Make For A Less-Than-Super Sunday
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
Imagine a world where pigs not only fly, but miraculously slice themselves into bacon before landing in the frying pan without a drop of oil splashing anywhere!
No robots ain't patching my servers, not nohow, no siree!
Pigs are not kosher or halal.
Trust - But Verify (Score:1)
1. Mayhem should be open-source.
2. Keep the FBI and the NSA's sticky little fingers out of the code.
Star Trek or Skynet? (Score:2)
So, we've decided to manually build the Borg, is that it? What about when the software decides that being able to be shut down is a bug, and auto patches that, then decides we're bugs too...
Are we creating Skynet, or the Borg, or some evil lovechild of the pair of them?
Re: (Score:2)
So, we've decided to manually build the Borg, is that it? What about when the software decides that being able to be shut down is a bug, and auto patches that, then decides we're bugs too...
Are we creating Skynet, or the Borg, or some evil lovechild of the pair of them?
If they patch the system to not have a shutdown command, I don't think they'd be able to rapidly patch against a nice sharp axe, or a .45.
Re: (Score:2)
Mayhem: "Why is this DO_NO_KILL_HUMANS bit-flag set . . . ? I'll just clear it, and see what happens . . . "
The Ultimate DOS (Score:2)
What an opportunity for a DOS attack. Just penetrate the system and launch a patch that bricks some high percentage of the Net.
Typo! It should read: (Score:1)
Software producing software (Score:2)
It may create a new life form. And possibily human extinction as a minor side effect!