Towards Deceptive Defense in Software Security with Chaff Bugs

Zhenghao Hu, Yu Hu, Brendan Dolan-Gavitt

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Sophisticated attackers find bugs in software, evaluate their exploitability, and then create and launch exploits for bugs found to be exploitable. Most efforts to secure software attempt either to eliminate bugs or to add mitigations that make exploitation more difficult. In this paper, we propose a new defensive technique called chaff bugs, which instead targets the bug discovery and exploit creation stages of this process. Rather than eliminating bugs, we instead add large numbers of bugs that are non-exploitable. Attackers who attempt to find and exploit bugs in software will, with high probability, find an intentionally placed non-exploitable bug and waste precious resources in trying to build a working exploit. In a prototype, we demonstrate two strategies for ensuring non-exploitability for memory safety bugs in C/C++ programs and use them to automatically add thousands of non-exploitable bugs to real-world software such as nginx and libFLAC; we show that the functionality of the software is not impaired and demonstrate that our bugs look exploitable to current triage tools. We believe that chaff bugs can serve as an effective deterrent against both human attackers and automated bug-finding tools.

    Original languageEnglish (US)
    Title of host publicationProceedings of 25th International Symposium on Researchin Attacks, Intrusions and Defenses, RAID 2022
    PublisherAssociation for Computing Machinery
    Pages43-55
    Number of pages13
    ISBN (Electronic)9781450397049
    DOIs
    StatePublished - Oct 26 2022
    Event25th International Symposium on Researchin Attacks, Intrusions and Defenses, RAID 2022 - Limassol, Cyprus
    Duration: Oct 26 2022Oct 28 2022

    Publication series

    NameACM International Conference Proceeding Series

    Conference

    Conference25th International Symposium on Researchin Attacks, Intrusions and Defenses, RAID 2022
    Country/TerritoryCyprus
    CityLimassol
    Period10/26/2210/28/22

    ASJC Scopus subject areas

    • Software
    • Human-Computer Interaction
    • Computer Vision and Pattern Recognition
    • Computer Networks and Communications

    Fingerprint

    Dive into the research topics of 'Towards Deceptive Defense in Software Security with Chaff Bugs'. Together they form a unique fingerprint.

    Cite this