Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Fixing Bugs, But Bypassing the Source Code

timothy posted more than 4 years ago | from the wrapping-puzzles-in-enigmas dept.

Software 234

shreshtha contributes this snippet from MIT's Technology Review: "Martin Rinard, a professor of computer science at MIT, is unabashed about the ultimate goal of his group's research: 'delivering an immortal, invulnerable program.' In work presented this month at the ACM Symposium on Operating Systems Principles in Big Sky, MT, his group has developed software that can find and fix certain types of software bugs within a matter of minutes." Interestingly, this software doesn't need access to the source code of the target program.

cancel ×

234 comments

Sorry! There are no comments related to the filter you selected.

I sure wouldn't (5, Funny)

Korbeau (913903) | more than 4 years ago | (#29918067)

run this software before running ClearView on it first. Imagine what this could do if it had a bug in its code!

Re:I sure wouldn't (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29918191)

HOW TO BE A WORTHLESS, VILE, AMERICAN YARD-APE!!!!
  • Slink around, shuffling your feet and bobbing your neck like the lazy retard you are.
  • Walk down the middle of the street because you don't know what a sidewalk is for.
  • Hang out at carwashes and mini-marts because everybody knows these are the best places to be a dope, I mean dope.
  • If you're a nigger bitch, shit three nigger babies into the world before 17 years of age. This assures that welfare money will support you, so your nigger men have more time to commit crimes.
  • Be sure to give REAL honest black people a bad name.
  • Oh yes, make sure each nigger baby has a different father. Double points if they grow up never knowing who the father is cuz then they're more likely to think being a thug is GREAT!
  • Bastardize the English language in the name of nigger culture.
  • Make sure that several terms have multiple meanings and others have ambiguous meanings and that only 50% of nigger words are even complete words. Real niggers will know what you're trying to say.
  • As a culture, make sure there are always more blacks in prison than in college at any given time. This is very important cuz you can blame it on racism even though the worst racist in the world still can't force you to break the law.
  • Hang out in packs of 10 to 15 and make sure everyone acts as annoying as possible. This helps to promote nigger individuality.
  • Always talk loud enough so everyone in the 'hood can fucking hear you, and if they are niggers, they will know what your saying, bro.
  • Wear clothes that are 10 sizes too big, making sure the pants hang off your ass.
  • Park at least 5 junk cars in your yard while being careful not to use the driveway. It's OK to abandon them in the street as long as it's in front of someone else's crib.
  • Exaggerate every motion, every tonal inflection and grab your dick a lot.
  • Do drugs, sell drugs, make drugs. Okay, don't REALLY do this, but it IS what niggers do.
  • Turn your backyard into a junk yard. If you don't have a backyard, turn your mother's into a junk yard.
  • Travel around leaching off relatives, friends, salvation armies.
  • Drink cheap wine and malt liquor every day, forgetting that "malt liquor" is just fortified cheap beer.
  • If you're a nigger buck: fuck anything that moves, no matter how ugly she is. After two 40oz, even the ugliest, fattest nigger bitch will look good.
  • Be charitable and covet fat, ugly white chicks. After all, they're niggers too. They can't help being so undesirable to white men that they have to fraternize with black dudes on a 20/20 trip. And white ho's are a special trophy too, especially the not so ugly ones.
  • Spray paint everything in sight with scribbles that mean nothing to white people but mean things to fellow niggers (except niggers from another hood who will probably go after you for tresspassing on their turf).
  • Use the term "motherfucker" in every sentence. It's one of the most versatile words in the nigger language, being a noun, verb, adjective and complete mini-sentence in event you run out of thoughts.
  • Stop in the middle of the street, blocking all traffic to converse with fellow niggers and have complete disregard for everyone else.
  • Overcharge customers at Taco Bell and pocket the difference.
  • Drive your car while slouched so low that you can barely see over the wheel (gangsta drivin').
  • Get a job under affirmative action. Then sit around all day pretending that you earned the position and that the other co-workers respect you. Whenever you fuck up, scream "racism!" & hope you get enough Generation X liberals in the jury.
  • Never, I mean NEVER, take any responsibility for your actions. Always blame others including Asians, Latinos, Mexicans, and especially Whites for your sorry ass stupid lives.
  • Be sure to get a dog, tie it up in the cold and mud and neglect it until it dies. Then start all over again. Cash must be used because you long ago fucked up your credit and checking account.
  • Cram 5 generations into a two room government apartment and still be able to neglect your kids.

Then you too can be a true nigger, and anyone who finds any fault with anything you do is automatically a racist. They don't dislike what you do and wish you would do something better with your life, nor do they wish you would realize that other people exist and should be treated with respect. No, they're just racists who hate you because of the color of your skin, and everything bad in your life is their fault. You nigger.

Re:I sure wouldn't (0)

Anonymous Coward | more than 4 years ago | (#29918221)

WTF dude. You need to quit crack.

Re:I sure wouldn't (1)

Sam36 (1065410) | more than 4 years ago | (#29919045)

I completely agree with you. Posting from my mother's computer as I type.

Re:I sure wouldn't (2, Funny)

sconeu (64226) | more than 4 years ago | (#29918287)

Error - Stack recursion. Head asploding!

One might have the question... (0, Interesting)

Anonymous Coward | more than 4 years ago | (#29918069)

was it ever applied to itself? ... and did it gain conciousness?

Re:One might have the question... (1)

thhamm (764787) | more than 4 years ago | (#29918981)

yes. now it talks in a fanny accent. and is a governator. and makes ads for wieners [youtube.com] .

MS will probably kill it (0, Flamebait)

vawarayer (1035638) | more than 4 years ago | (#29918083)

Another interesting project that Microsoft will probably buy out and kill in the egg.

Re:MS will probably kill it (5, Insightful)

SnarfQuest (469614) | more than 4 years ago | (#29918169)

If MS included this in Windows, you'd never get to see the login screen because the CPU would be so busy fixing bugs.

Yeah, and if it did happen to work (1)

transporter_ii (986545) | more than 4 years ago | (#29918319)

It would totally wipe out Microsoft's current business model. I think they better wait until they sucker everyone into software rental agreements before this is unleashed on Windows.

.

Re:Yeah, and if it did happen to work (1)

BitZtream (692029) | more than 4 years ago | (#29919733)

And how would it do that? You think MS software has every feature for every situation that will ever exist? Its just the bugs that are the problem?

Re:MS will probably kill it (1, Insightful)

MobileTatsu-NJG (946591) | more than 4 years ago | (#29918429)

If MS included this in Windows, you'd never get to see the login screen because the CPU would be so busy fixing bugs.

Geez... imagine the sheer volume of .CONF files a Linux user would have to waft through just to get this to check a distro for bugs.

Re:MS will probably kill it (0)

Anonymous Coward | more than 4 years ago | (#29918747)

By installing via a distro customized binary, likely none

Re:MS will probably kill it (4, Informative)

Xtifr (1323) | more than 4 years ago | (#29919005)

imagine the sheer volume of .CONF files a Linux user would have to waft through just to get this to check a distro for bugs.

501:~ $ locate .CONF
502:~ $

Looks like the volume is...zero? I think maybe I don't understand what you mean. Is ".CONF" some sort of Windows-speak for configuration files? If so, then the fact that they're all in /etc (or possibly /usr/etc or /usr/local/etc) and /home should make them very easy to skip.

Re:MS will probably kill it (5, Funny)

mewsenews (251487) | more than 4 years ago | (#29919129)

If MS included this in Windows, you'd never get to see the login screen because the CPU would be so busy fixing bugs.

Geez... imagine the sheer volume of .CONF files a Linux user would have to waft through just to get this to check a distro for bugs.

Is this some sort of "out-stereotype the operating system" competition? If so, here is my entry:

If the tool from TFA existed already, Mac users wouldn't notice it until Steve Jobs named it the iPatcher and made some cutesy advertisements with Justin Long wearing an eye patch. At that point they'd proclaim it made their systems invulnerable to bugs in a far superior way than Windows and Linux.

Re:MS will probably kill it (-1, Troll)

Anonymous Coward | more than 4 years ago | (#29919139)

Just about the funniest thing in the world is when somebody makes a fool of themselves by making a joke about something they clearly don't understand.

FYI, I'm laughing at you, not with you.

Re:MS will probably kill it (1)

westlake (615356) | more than 4 years ago | (#29918923)

If MS included this in Windows, you'd never get to see the login screen because the CPU would be so busy fixing bugs.

This sort of thing plays well to the geek's hive mind. But is it really worth a mod-up to +5, Insightful?

Vulnerability Report: Microsoft Windows 7 - 2009 [secunia.com] There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied..

Re:MS will probably kill it (3, Insightful)

Missing_dc (1074809) | more than 4 years ago | (#29919485)

Me-thinks someone sounds jealous they did not think of it first.

This really deserves (4, Funny)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#29918091)

A "whatcouldpossiblygowrong". Along with, just to be on the safe side, a "colossustheforbinproject", a "shodan", a "hal", a "skynet" and probably a bunch of others that I'm forgetting right now.

How about (4, Insightful)

raddan (519638) | more than 4 years ago | (#29918583)

"Entscheidungsproblem [wikipedia.org] ". You'd think a professor of CS at MIT would have heard of it.

Re:How about (1)

blueg3 (192743) | more than 4 years ago | (#29918765)

The relevance here?

Re:How about (4, Interesting)

raddan (519638) | more than 4 years ago | (#29919137)

You can't write an algorithm that takes as input another algorithm and outputs whether that second algorithm is correct or not. Since ClearView must make this decision somehow (this behavior is bad; make it good), the process cannot be algorithmic. However-- this is exactly how the vast majority of software is written now-- a programmer has a good idea about how to solve the problem, but does not "provably" solve it. If you believe language designers, that's part of the problem. ClearView just adds another layer of heuristics on top of the ones that are already there. Someone has to come up with those rules. This makes the actual work of understanding a program much more complicated. But, you know, the MIT people have been chasing AI for a long time, so maybe they don't think that understanding something is important as long as there's a good simulacrum of the thing they're trying to create. Black box computer science.

Re:How about (3, Insightful)

Migala77 (1179151) | more than 4 years ago | (#29919369)

ClearView doesn't have to prove that a program is either correct or incorrect. It only has to detect certain types of bugs, and fix them. There is no guarantee your program is correct after running it.

And personally I can't think of any cases where a buffer overflow is part of a correct program...

Re:How about (0)

A nonymous Coward (7548) | more than 4 years ago | (#29919145)

The relevance here?

Well, none to you. But to people who understand Goedel Escher and Bach, your arrogant ignorance is quite the giggle.

Re:How about (1)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#29918897)

Isn't that the one that Bruce Schneier has the general solution to?

...an immortal, invulnerable program... (4, Funny)

John Hasler (414242) | more than 4 years ago | (#29918111)

Has anyone cracked "Hello World" yet?

Re:...an immortal, invulnerable program... (2, Funny)

selven (1556643) | more than 4 years ago | (#29918265)

It's not immortal. You want:

while 1:
        print "Hello World"

Re:...an immortal, invulnerable program... (1)

zapakh (1256518) | more than 4 years ago | (#29918423)

# That's not invulnerable.  Try this:

while 1:
   try:
      while 1:
         print "Hello World"
   except KeyboardInterrupt:
      pass

Re:...an immortal, invulnerable program... (1)

gzipped_tar (1151931) | more than 4 years ago | (#29919739)

Use a bare except, plz.

Re:...an immortal, invulnerable program... (1)

ShakaUVM (157947) | more than 4 years ago | (#29918523)

It's not immortal. You want:

while 1:
                print "Hello World"

Sorry, but I have prior art on a truly immortal and bug-free program:

10 PRINT "HELLO WORLD"
20 GOTO 10

Let me know who I should contact so MIT can send the royalty checks on my software patent to me.

Re:...an immortal, invulnerable program... (1)

dgatwood (11270) | more than 4 years ago | (#29918669)

You forgot

0 REM Block Control-C
1 ONERR GOTO 10

5 REM Control-Reset reboots
6 POKE 1010,0

Re:...an immortal, invulnerable program... (2, Funny)

flaming error (1041742) | more than 4 years ago | (#29918821)

These two posts contain the most robust code I've seen all day. But still,

"A computer's attention span is no longer than it's power cord."

Re:...an immortal, invulnerable program... (2, Funny)

brainboyz (114458) | more than 4 years ago | (#29919123)

import fusiononachip

reference: http://xkcd.com/353/ [xkcd.com]

It's interesting, but software should "expire".. (0)

skgrey (1412883) | more than 4 years ago | (#29918113)

It's a good idea, but here's the issue: software isn't meant to be immortal. It's meant to grow, get better, offer more functionality; imagine if all software stopped growing in Word 1.0 or PrintShop Pro? We'd never have all these great alternatives for office products or Photoshop/Gimp/etc.

This doesn't support innovation and improvement, and that's the cornerstone of technology improvement.

Re:It's interesting, but software should "expire". (4, Funny)

Anonymous Coward | more than 4 years ago | (#29918153)

This doesn't support innovation and improvement, and that's the cornerstone of technology improvement.

Please allow myself to introduce... myself.

Re:It's interesting, but software should "expire". (1)

skgrey (1412883) | more than 4 years ago | (#29918197)

Dammit! Let me fix that..

"This doesn't support innovation and improvement, and that's the cornerstone of technology evolution."

I'm thinking the gist was there at least..

Re:It's interesting, but software should "expire". (0)

Anonymous Coward | more than 4 years ago | (#29918543)

You thought you'd fix your own post by replying to an AC? Good job. Now you can make a third post to fix that!

Re:It's interesting, but software should "expire". (1)

DeadDecoy (877617) | more than 4 years ago | (#29918641)

That's true for some/most cases where we're still exploring how to develop a piece of software around a task. Other pieces of software are well defined and don't really need to be evolved. How many times do you need to recode linked lists until their good enough? I think we're reaching a similar consensus with designing UIs, where some architectural patterns will remain consistent across languages. Like setting up a text box or button. As these pieces become refined or 'immortal' it will free us lowly humans up to work on other problems like fixing that damn vending machine that always clings to my precious snacks.

Source doesn't run (1)

camperdave (969942) | more than 4 years ago | (#29918117)

Of course it can fix a program without the source code. The source code is not the part that runs. Rather it is the executable, which is just a file of bytes. Find/Replace one sequence of bytes with another, and you've changed the program without the source. It's not a big deal. Viruses have been doing this sort of thing for decades.

Re:Source doesn't run (1)

Grishnakh (216268) | more than 4 years ago | (#29918331)

Yes, it sounds like a dumb idea. Sure, you can look for certain simple things in running or compiled code, but you can't debug much more complicated things without access to the source, unless perhaps this checking program were orders of magnitude more complicated than the code it's checking. Why bother, when you can just get the source?

It's like trying to make some kind of "scanner" which can detect faults in a building's design, without even going inside the building, (which obviously would require a lot of technology far more advanced than ours) when it's a lot easier to just get a structural engineer to look at the blueprints.

Re:Source doesn't run (1)

lgw (121541) | more than 4 years ago | (#29918799)

There's a lot of code optimization, for example, that works better with object code (or some platform-independent intermediate code or bytecode) than with source code, by doing template matching. The source code may give hints about the user's intentions, which is useful for some kinds of problem solving. The object code give information about patterns that are common regardless of intention, which is useful for other kinds of problem solving. I've found the latter to be quite useful in debugging difficult problems. For example, you'll never find a compiler bug by just looking at the source code (or more commonly, find that you misunderstood some dark corner of the language spec).

Easy bugs tend to be apparant from the source. Hard bugs tend to require careful inspection of the object. Hmm, I guess there's several ways to paint causation over that correlation.

Misleading Slashdot summary, as usual (2, Informative)

Anonymous Coward | more than 4 years ago | (#29918131)

It checks a bunch of identical machines for a set of know bugs, then applies a bunch of predermined patches until one works.

That's nice, but not what was promised.

Re:Misleading Slashdot summary, as usual (1)

geckipede (1261408) | more than 4 years ago | (#29918275)

It's not really very nice. If the testing of the patched software is purely automated, I wouldn't reckon its chances highly of managing a fix without screwing something else up except in very simple systems or very well coded and sensibly designed systems.

They say this is intended as a method for keeping crap old code going when the original vendors are gone. Odds are, this autopatcher is going to be dealing with stuff the like of which you'd expect to see on thedailywtf.

Re:Misleading Slashdot summary, as usual (1, Informative)

Meshach (578918) | more than 4 years ago | (#29918457)

The program does not really "fix software bugs" at all. What it does is notice if a program starts taking an abnormal code path. The "normality" of a path is based on how the program operates. If a program starts taking an abnormal path then it is terminated.

This is good in preventing an attack or code injection. But as far as bug fixing nothing could be further from the truth. Some developer still needs to look at the assembly generated to identify the bad path taken, find that place in the code, figure out how the program got there, apply a fix, test the fix, then deploy the new application. If anything this is a QA tool for software to avoid attacks.

A valuable tool for exposing bugs. Bug as far as actually improving software I do not see it.

Re:Misleading Slashdot summary, as usual (1)

lgw (121541) | more than 4 years ago | (#29918909)

Well, obviously a valuable tool for finding bugs is a valuable tool for improving software. But perhaps not by itself.

Re:Misleading Slashdot summary, as usual (0)

Meshach (578918) | more than 4 years ago | (#29919121)

Well, obviously a valuable tool for finding bugs is a valuable tool for improving software. But perhaps not by itself.

You are right. This tool does help developers find bugs.

I guess my beef is the claim of the headline that this software will fix bugs and bypass the source code. It does highlight and cut off potential vulnerabilities without accessing the source code. But it does not "fix" anything and may cut off legitimate uses of the software. It just gives you notice and a dirty work around until a real fix can be developed and deployed.

Re:Misleading Slashdot summary, as usual (1, Informative)

Anonymous Coward | more than 4 years ago | (#29919363)

You should re-read the article, and specifically the following passage:

"For seven of the attacking team's approaches, ClearView created patches that corrected the underlying errors. In all cases, it discarded corrections that had negative side effects. On average, ClearView came up with a successful patch within about five minutes of its first exposure to an attack."

So it does indeed fix bugs, contrary to your claim.

Re:Misleading Slashdot summary, as usual (2, Insightful)

lgw (121541) | more than 4 years ago | (#29919611)

But was it a source patch, or a binary patch? A binary patch is at best a dirty work-around, becuase the bug will keep reappearing in subsequent released of the software (perhaps even in needed patches for other issues).

Re:Misleading Slashdot summary, as usual (1, Informative)

Anonymous Coward | more than 4 years ago | (#29919203)

Either you didn't read the article, or you have a massive reading comprehension problem. Clearview actually creates patches to fix problems that it identifies. Note the following passage from the article:

"For seven of the attacking team's approaches, ClearView created patches that corrected the underlying errors. In all cases, it discarded corrections that had negative side effects. On average, ClearView came up with a successful patch within about five minutes of its first exposure to an attack."

2012 (0)

Frosty Piss (770223) | more than 4 years ago | (#29918159)

How long before "it" becomes self-aware? This is the beginning of the end, folks... By 2012 it'll be all over.

Why owuld you need to access the source (1)

geekoid (135745) | more than 4 years ago | (#29918175)

code. I would argue that would be the worst way to do it.

Look at the hex, make changes. The conept is no different then inserting or replacing a JMP to get around software protection.

Re:Why owuld you need to access the source (1)

Miandrital (1029138) | more than 4 years ago | (#29918281)

code. I would argue that would be the worst way to do it.

Look at the hex, make changes. The conept is no different then inserting or replacing a JMP to get around software protection.

But what happens with this program when you want to redistribute the code for a different platform? You wouldn't (easily) be able to convert the binary code back into the original language of the program. Unless im missing something here...

Re:Why owuld you need to access the source (2, Interesting)

stephanruby (542433) | more than 4 years ago | (#29918625)

Look at the hex, make changes. The conept is no different then inserting or replacing a JMP to get around software protection.

Exactly! This software sounds like it might work for getting around non-technical vendor-imposed arbitrary limitations.

If you don't feel like paying for the Standard Edition of SQL Server 2005 anymore, now you won't have to, you can just purchase the slightly crippled Workgroup edition, and have ClearView make sure the database keeps on running after it blows by its self-imposed limits. Don't have legal copies of Windows 7, that's ok. Now your government or your office will have a contingency plan, should Microsoft decide to hit the kill switch on you.

Not that I expect this software to work that well. In my mind, there is no substitute for having a real knowledgeable human being tinkering with an hex editor in the same manner as this software will try to do.

That being said, I expect such software to work very well on contrived prepared examples, and I expect such software will make lots of money even if it doesn't work very well in real life. It's the nature of legacy software used in business. You can usually sell any automated magical half-baked solutions for untold amounts money if the customer comes to you at the same point he thinks he's about to lose everything (and has no idea, or no intention, on getting it fixed the right way in the first place).

If humans did the same..! (4, Funny)

Odinlake (1057938) | more than 4 years ago | (#29918185)

The very first time ClearView encounters an exploit it closes the program and begins analyzing the binary, searching for a patch that could have stopped the error.

Think of how much bullshit would go out of business if people were to do the same thing (i.e. sit down and think it over) when presented with some unusual idea.

Re:If humans did the same..! (1)

Xtravar (725372) | more than 4 years ago | (#29918529)

THIS IS UNNATURAL HERESY!!!!
You've convinced me. We need to destroy this program and replace it with one that makes judgments based on feelings.

Who will police the police? (2, Interesting)

ashanin (1367775) | more than 4 years ago | (#29918187)

Who will fix the bugs in the ClearView program?

DNA? (1)

ShadowXOmega (808299) | more than 4 years ago | (#29918199)

May be isnt immortal and invulnerable, but is pretty near...
- self repairing
- self replicating
- survive large amounts of time with minor changes

clearview (3, Insightful)

wizardforce (1005805) | more than 4 years ago | (#29918219)

If the programs that Clearview is monitering/patching are the target, wouldn't it make sense for an attacker to focus on Clearview first? Perhaps even alter its function to serve the purposes of the attacker instead of the user. Why attack the programs it is patching when you could hit Clearview and gain the ability to hijack everything it is patching?

Re:clearview (5, Funny)

Anonymous Coward | more than 4 years ago | (#29918327)

So run two.

Re:clearview (0)

Anonymous Coward | more than 4 years ago | (#29918503)

But you first have to buy two licenses.

Re:clearview (0)

owlstead (636356) | more than 4 years ago | (#29918703)

Because Clearview was created by a bunch of people that know what they are doing. Because Clearview is likely to be a much smaller target than the monitored software packages. Because Clearview is not directly connected to the web. Because Clearview may not even be easily detectable.

Re:clearview (1)

wizardforce (1005805) | more than 4 years ago | (#29919265)

Because Clearview was created by a bunch of people that know what they are doing.

That is no deterrent. Many programs are made by reasonably intelligent people who "know what they're doing" software is complex, especially for something like this.

Because Clearview is likely to be a much smaller target than the monitored software packages.

Why? Antivirus programs serve a very similar function and yet they are under attack all the time.

Because Clearview is not directly connected to the web.

neither are other programs that have exploitable flaws.

Because Clearview may not even be easily detectable.

You could say the same for other programs. It's naive to believe that Clearview is a magic bullet here, every program has flaws and a flaw in this program could prove disastrous.

Re:clearview (3, Insightful)

BitZtream (692029) | more than 4 years ago | (#29919769)

Really ... they know what they are doing? Then why is it called:

Research

If they knew what they were doing it wouldn't really be research would it.

ALL software has bugs. Adding more software to fix bugs ... introduces more bugs.

This doesn't just apply to software, it applies to just about everything, right down to the atoms that make of the universe from our perspective. As far as we can figure, the universe itself will break down to a state that will no longer support life as we know it. Adding more layers of protection falls under the laws of diminishing returns, software, hardware, bridges, cars, or molecules.

Did they use that tool to develop that tool? (5, Interesting)

140Mandak262Jamuna (970587) | more than 4 years ago | (#29918311)

My friend developed an automatic code quality estimation program for his masters thesis. It will basically find average the number of lines per function, ratio of code to comment, and other such metrics and give a letter grade to the code. The fiendish prof announced that he will run that code through itself. Whatever letter grade it spits out will be his thesis grade. He got a D. He begged and cried and threw a hissy fit and wangled a B and scraped through the degree.

I wonder if we should turn that software loose on itself and see what it finds.

Re:Did they use that tool to develop that tool? (5, Insightful)

Wonko the Sane (25252) | more than 4 years ago | (#29918795)

The fiendish prof announced that he will run that code through itself. Whatever letter grade it spits out will be his thesis grade. He got a D. He begged and cried and threw a hissy fit and wangled a B and scraped through the degree.

Fiendish? What could possibly be more fair and objective than making him eat his own dogfood?

Re:Did they use that tool to develop that tool? (2, Insightful)

mattack2 (1165421) | more than 4 years ago | (#29918885)

"Fiendish" prof? If this is even a true story, it rates a "duhh!" Of course he should have ran his analyzer on his own code..

Re:Did they use that tool to develop that tool? (4, Insightful)

KillerBob (217953) | more than 4 years ago | (#29919079)

Either that or put in an author check that automatically spits out an A+ if it detects that the author of the code was himself....

Masters? (0)

Anonymous Coward | more than 4 years ago | (#29918935)

This type of stuff, like your friend did, has been written since the 1960s. It doesn't really work, unless the input code is written by slackers or idiots.

I'm fairly certain I've seen this type of code written in a few lines of perl.

A programmer with skill will KNOW how to write maintainable, readable, reusable code and simply do it. If fact, when pressured to not follow best practices, I suspect he will call in sick a few days to "help" management come to their senses.

If someone actually earned a masters from this, that graduate program should be laughed out of existence. OR, you are explaining it very well.

thesis grade? (2, Insightful)

pigwiggle (882643) | more than 4 years ago | (#29919589)

Hmmm. Sounds like some CS urban legend. Never heard - not once - of a "thesis grade". Pass, no-pass, conditional pass. I didn't receive a grade myself. Just a diploma. Be great for those kind of folks that put GPA's on their CV, though.

Re:Did they use that tool to develop that tool? (1)

goodmanj (234846) | more than 4 years ago | (#29919747)

Great story, but [Citation needed].

Obviously Linux developers aren't human ;-) (2, Interesting)

Zero__Kelvin (151819) | more than 4 years ago | (#29918313)

"When a potentially harmful vulnerability is discovered in a piece of software, it takes nearly a month on average for human engineers to come up with a fix and to push the fix out to affected systems, according to a report issued by security company Symantec in 2006."

This is absolutely correct, so long as one assumes that Windows systems are the only systems, and Linux developers aren't human.

Re:Obviously Linux developers aren't human ;-) (0)

Anonymous Coward | more than 4 years ago | (#29918571)

This is absolutely correct, so long as one assumes that Windows systems are the only systems, and Linux developers aren't human.

If we assume windows systems are the only ones, Linux doesn't enter in the equation, so Linux developers don't need to not be human for the assumption that windows systems are the only ones.

Did you get it?

Microsoft will never buy it (-1, Redundant)

Zero__Kelvin (151819) | more than 4 years ago | (#29918349)

"If additional rules are violated, or if a patch causes the system to crash, ClearView rejects it and tries another. "

So Microsoft won't be using it then ...

Re:Microsoft will never buy it (1, Funny)

Anonymous Coward | more than 4 years ago | (#29918677)

"If additional rules are violated, or if a patch causes the system to crash, ClearView rejects it and tries another. "

So Microsoft won't be using it then ...

More like...
(user to IT): When I left last night, I had Word open in Windows on this PC... when I came back this morning, the document open in GVim in Linux!

DMCA? (0, Offtopic)

happyslayer (750738) | more than 4 years ago | (#29918373)

So how long before someone uses this to "patch" DRM and/or Windows Genuine Advantage? They interfere with my computer's functions, cause software/systems to fail out of nowhere, and are an unwanted inclusion in many programs. Yep--sounds like bugs to me!

Which means it won't be long before patches are available. Cue the angry horde of DMCA attorneys....

Re:DMCA? (1)

happyslayer (750738) | more than 4 years ago | (#29919327)

Ouch! The dreaded "Offtopic" moderation...perhaps I should elaborate:

Others have already pointed out the "blackhats just got a new weapon" scenario, so I thought another possible (mis)use would be to patch software to which we do not have the source code.

  • Commonly used software w/o source code? Windows and DRM systems. Check.
  • Commonly used systems that inhibit user's systems? WGA and DRM. Check.
  • Software that rewrites/patches binaries without source? Clearwater. Check.
  • Obvious non-software response by corporations whose systems are getting hacked? DMCA letters...either to the Clearwater developers or anyone who distributes such a patch.

Just my inflation-adjusted 2 cents...

Yeah right... (0)

Anonymous Coward | more than 4 years ago | (#29918387)

"Keeping the system going at all costs does seem to have merit," adds David Pearce, a senior lecturer in computer science at Victoria University in Wellington, New Zealand.

At all costs? What sort of systems does he imagine this would be useful for? Flight control computers? Industrial robots? Nuclear reactor control systems? Radiation therapy machines?

Or just systems where people's lives aren't potentially in jeopardy when "Keeping the system going at all costs" results in the system going haywire? When certain systems have something go wrong and end up in an unanticipated state, the thing you want to do is reset them to a known state, not just keep them going in hopes the software can get things under control.

Fuck3r (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#29918401)

you can. When the distr1butions Crrek, abysmal

No Silver Bullet (2, Insightful)

gweihir (88907) | more than 4 years ago | (#29918487)

There has been no silver bullet in Software Engineering, not for attacker and not for defenders. I highly doubt this is one. From the article, I gather that this is actually some kind of macro Design by Contract based self-fixer. This means it is at best just as good as the people writing the contracts. It will however fail for more complex contracts, which are needed frequently in practice, unless it can get over all sorts of theoretical and practical limitations. And it will make behavior non-predictable, since your software could be patched at any time.

I would say this is a pretty bad idea, both from a security point of view and from a data-integrity and software reliability point of view.

Re:No Silver Bullet (2, Informative)

Yold (473518) | more than 4 years ago | (#29918559)

I'd also point out, that from an Automata Theory standpoint, "The task of software verification is not solvable by a computer" (MIT's own Sipser).

Re:No Silver Bullet (2)

cameigons (1617181) | more than 4 years ago | (#29918867)

Yeah, their headlines are pure sensationalism. And if I'm not mistaken what your saying is actually demonstrable.

Re:No Silver Bullet (1)

FlyingBishop (1293238) | more than 4 years ago | (#29918659)

Unless they've solved strong AI and plan to just sit in and have the AI write perfect software for them so they can rake in the licensing fees until someone else figures it out.

Sensationalism ruined it for me (4, Insightful)

billcopc (196330) | more than 4 years ago | (#29918493)

When a potentially harmful vulnerability is discovered in a piece of software, it takes nearly a month on average for human engineers to come up with a fix and to push the fix out to affected systems

Yes. It takes us 5 seconds to an hour to actually come up with the fix, the remainder of the month is spent in bureaucratic hell - sitting in a trouble ticket queue, sitting in a verification queue, sitting in a QA manager's inbox, sitting with the communications team.

Clearview, if it does what it says on the tin, only addresses the 5 second problem. Any "sane" dev shop would still run the resultant patch through the many cogs and loops of modern software management. You won't get your hole patched any quicker, you'll just have shifted the coders' attention away from your own app's bugs, and onto Clearview's bugs. Net gain: less than zero.

Theoretically and conceptually, it's an interesting tool (you know, like Intercal). It just doesn't really fit in the industry, IMHO.

Re:Sensationalism ruined it for me (1)

starrsoft (745524) | more than 4 years ago | (#29919147)

Yes. It takes us 5 seconds to an hour to actually come up with the fix, the remainder of the month is spent in bureaucratic hell - sitting in a trouble ticket queue, sitting in a verification queue, sitting in a QA manager's inbox, sitting with the communications team. Clearview, if it does what it says on the tin, only addresses the 5 second problem. Any "sane" dev shop would still run the resultant patch through the many cogs and loops of modern software management. You won't get your hole patched any quicker, you'll just have shifted the coders' attention away from your own app's bugs, and onto Clearview's bugs. Net gain: less than zero. Theoretically and conceptually, it's an interesting tool (you know, like Intercal). It just doesn't really fit in the industry, IMHO. [emphasis added]

You're missing the point. This isn't aimed at developers, it's aimed at end users.

Good idea... (1)

Thelasko (1196535) | more than 4 years ago | (#29918533)

terrible name. Come on ClearView is the best you could come up with?

Next step: CPUs that do this (0)

Anonymous Coward | more than 4 years ago | (#29918561)

I want my CPU to say, "oh, these are the instructions you meant to execute..."

(Granted, I'd bet there are optimizations present in CPUs that do this today, but they're not supposed to introduce changes in behavior.)

Uh oh... (1)

Taur0 (1634625) | more than 4 years ago | (#29918653)

How long before it decides that human existence is a bug?

Re:Uh oh... (1)

garompeta (1068578) | more than 4 years ago | (#29919279)

human miseries are not bugs, but features.

sensasionalists ? (4, Informative)

cameigons (1617181) | more than 4 years ago | (#29918749)

I'm sick of the stupid headlines I've been reading about the so called projects of MIT students lately... I mean, clearly an 'immortal invulnerable program' is impossible at least for practical purposes by definition(they're dependent on the underlying OS, on other softwares and last but not least on the hardware integrity). Other recent headlines about their CS students claiming to be able to tell who's gay based on their facebook friends.... pff omg, when did it all get so preposterous. Why aren't they more honest about the reach of their ambitions. If you take these teachers words to the letter it seems like they don't know what's theoretically sound and what isn't...

This is complete junk (0)

Anonymous Coward | more than 4 years ago | (#29919003)

This is completely useless for any real application and for any complicated bugs. I've dealt with this for many many years. It sounds good in theory, but it simply doesn't work in the real world.

Wondering if it can be gamed (1)

shoor (33382) | more than 4 years ago | (#29919117)

First of all, if you have a binary image of a program in some read only place, you could just compare to the running/working image to see if it were compromised and reload the original if it were. Admittedly, that can be a lot of work and ClearView might be more efficient. But, if it's just checking the behavior of the program, what's to keep hackers from getting their own copies of ClearView and figuring out how to game it, just like any other detection software. That is, making hacked programs perform so that they seem to be well behaved. Of course, if the idea is to turn the compromised software into a bot that is continuously spewing stuff out through the ethernet port, that might be hard to hide. But would you need ClearView to check that?

Be skeptical (2, Interesting)

Anonymous Coward | more than 4 years ago | (#29919227)

Martin Rinard is a talented man with the largest ego in academia. Of course he is "unabashed"; he's never been "abashed" for a moment in his life. Every research project Rinard has completed has been the one he claimed would scoop and shut down all other computer scientists' efforts. Take any claims he makes with a big grain of salt. It's not that he's a fraud, it's just that history shows he isn't nearly as godlike as he thinks or claims to be.

Posted anonymously because I don't need Rinard as an enemy.

Ridiculous! (1)

Ancient_Hacker (751168) | more than 4 years ago | (#29919237)

What a bunch of crapola.

Finding and fixing bugs, as any programmer knows, is anything but a simple and mechanical procedure.

About all ClearView can do is go "Oh, the stack has been bashed, let's NOP out the call to this code"

Compare this to the amount of work to find and fix an off-by-one error or an unset pointer.

There is no comparison.

Re:Ridiculous! (1)

DarkOx (621550) | more than 4 years ago | (#29919687)

I can image clearview being able to fix some of those problems.

Oh the "stacks been smashed" -> let me I usually see a code that looks like a pointer dereference called and then a fetch of between 5 and 67 bytes
->This time it was 643 bytes!
->I will just stick a jump in there and save off the stack and write some code to copy not more than 67 bytes which from past experience is safe from location A to location B and then put the stack back and set the program counter to the address after the jump I inserted.

Now this certainly may change the actually function of the application but possibly not in a way the users will notice or care about!

oh, I've seen this before somewhere (1)

roman_mir (125474) | more than 4 years ago | (#29919273)

From TFA:

When something goes wrong, ClearView detects the anomaly and identifies the rules that have been violated. It then comes up with several potential patches designed to force the software to follow the violated rules. (The patches are applied directly to the binary, bypassing the source code.) ClearView analyzes these possibilities to decide which are most likely to work, then installs the top candidates and tests their effectiveness. If additional rules are violated, or if a patch causes the system to crash, ClearView rejects it and tries another.

reminded me of another ingenious software application:

Your life is the sum of a remainder of an unbalanced equation inherent to the programming of the matrix. You are the eventuality of an anomaly, which despite my sincerest efforts I have been unable to eliminate from what is otherwise a harmony of mathematical precision. While it remains a burden to sedulously avoid it, it is not unexpected, and thus not beyond a measure of control. Which has led you, inexorably, here. ...
The first matrix I designed was quite
naturally perfect, it was a work of art, flawless,
sublime. A triumph equaled only by its monumental
failure. ...
she stumbled upon a solution whereby nearly 99.9% of all test subjects accepted the program, as long as they were given a choice, even if they were only aware of the choice at a near unconscious level. While this answer functioned, it was obviously fundamentally flawed, thus creating the otherwise contradictory systemic anomaly, that if left unchecked might threaten the system itself. Ergo, those that refused the program, while a minority, if unchecked, would constitute an escalating probability of disaster.

So, the solution to any program failure is creation of Zion, (the rest of the idea here is left to the imagination of the reader.)

Virus Scanner (1)

allcoolnameswheretak (1102727) | more than 4 years ago | (#29919287)

Sounds just like the way your everyday virus scanner works.

Martin Rinard a prof? (1)

McNihil (612243) | more than 4 years ago | (#29919317)

http://en.wikipedia.org/wiki/Rice's_theorem [wikipedia.org]

Can I get my star now?

People this is what we get when people grow up with Windows.

Well... (0)

Anonymous Coward | more than 4 years ago | (#29919381)

Isn't this already done with the "Hello World" program?

But seriously all software depends on hardware, you would really amaze me if you had a contiguous area of current that kept on fixing itself

No good. (0)

Anonymous Coward | more than 4 years ago | (#29919627)

It rates far too high on the thisAlgorithmBecomingSkynet [xkcd.com] index.

Yea, cause this hasn't been tried before ... (1)

BitZtream (692029) | more than 4 years ago | (#29919681)

Seriously, why the hell is this news on slashdot?

This certainly isn't a new idea, and it'll meet the same fate as existing ideas, a quick death as someone figures out how to use it to cause more damage than good.

How does it know the difference between intentional and accidental? It doesn't. This is why compilers can't fix programmer bugs, they can at best warn or error on them. The compiler really is the most likely part of the process to find and fix any bugs that can be automagically found in a closed system.

'find a potential patch' ?

I have that, its the 'Check for updates' button.

Yes I realize that its trying to detect runtime errors and correct those, but anyone with half a clue about CS knows multiple reasons why this simply doesn't work. The first and foremost reason being that it will take something intentional, classify it as a bug and 'fix' it. In effect breaking it. The only way to fix this is to keep a big exception list that constantly needs updated ... which will also have bugs. Rinse, repeat for the rest of eternity.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>