Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

DARPA Makes Finding Software Flaws Fun

Soulskill posted about 9 months ago | from the zynga-racing-to-copy dept.

Bug 46

alphadogg writes "The U.S. Department of Defense may have found a new way to scan millions of lines of software code for vulnerabilities: by turning the practice into a set of video games and puzzles and having volunteers do the work. Having gamers identify potentially problematic chunks of code could help lower the work load of trained vulnerability analysts by 'an order of magnitude or more,' said John Murray, a program director in SRI International's computer science laboratory who helped create one of the games, called Xylem. DARPA has set up a site, called Verigames, that offers five free games that can be played online or, in Xylem's case, on an Apple iPad."

cancel ×

46 comments

Sorry! There are no comments related to the filter you selected.

Fun bugs (2)

K. S. Kyosuke (729550) | about 9 months ago | (#45628253)

Yeah, but when I exploit a buggy drone and fly it into your own units, the same DoD says "that's not funny". ;/ Make up your minds already!

The real game is finding bugs on their site... (5, Funny)

Anonymous Coward | about 9 months ago | (#45628367)

Welcome null null ( Logout )

psDOOM anyone? (3, Informative)

netpatriot (3456831) | about 9 months ago | (#45628377)

not such a new idea: Doom as an Interface for Process Management: http://www.cs.unm.edu/~dlchao/flake/doom/chi/chi.html [unm.edu]

Re:psDOOM anyone? (1)

ColdWetDog (752185) | about 9 months ago | (#45628447)

Or the method of monitoring the exits of airports in Neal Stephenson's REAMDE [amazon.com] .

finding bugs isn't the boring part (0)

Anonymous Coward | about 9 months ago | (#45628389)

I'd find it more fun if I didn't typically have to fix the bugs or workaround the bugs or have to live with the bugs...

Greetings, Professor Falken (3, Funny)

MonkeyDancer (797523) | about 9 months ago | (#45628397)

I'm disappointed they do not have the game 'Global Thermonuclear War'.

Re: Greetings, Professor Falken (2)

runeghost (2509522) | about 9 months ago | (#45628511)

Oh, they have it. They're just very selective about who gets to play, or even sit at the table.

Re: Greetings, Professor Falken (5, Funny)

davester666 (731373) | about 9 months ago | (#45628607)

you have to find the user name on your own, but the password is '00000000'

Finding bugs is ALWAYS fun! (3, Insightful)

tlambert (566799) | about 9 months ago | (#45628559)

Finding bugs is ALWAYS fun!

What's even more fun is that Tesla Roadster you were able to buy by selling the bugs you find to intelligence agencies, rather than reporting them to the vendor and being sued under the DMCA for reverse engineering their product.

Not so fast, Buster! (0)

Anonymous Coward | about 9 months ago | (#45628837)

Finding bugs is ALWAYS fun!

Finding bugs someone else's code may be great fun, but last time I checked finding late bugs from your own code just sucks, sucks, sucks ... and SUCKS!

Oh, did I already mention it sucks! Great I thought I forgot already to pass the message clear and loud IT SUCKS!

Re:Not so fast, Buster! (0)

Anonymous Coward | about 9 months ago | (#45629159)

Not finding bugs however sucks even more.

Breaking: DARPA under DDOS attack (0)

Anonymous Coward | about 9 months ago | (#45628569)

500 Internal Server Error
nginx/1.4.1

Does nginx suffer from poor scalability? (0)

Anonymous Coward | about 9 months ago | (#45628639)

I don't know much about nginx, but any time I hear about it it's usually because of an error message like that.

Even though it isn't used nearly as much as Apache is, I must see an nginx error page like that at least two or three times a month. I can't say the same for Apache, or IIS, or Lighttpd, or any other major web server these days.

Does nginx just suffer from really bad scalability under any sort of significant load? Is poor scalability and load tolerance the reason why it starts giving 500 Internal Server Error responses and error pages like that so commonly?

Re:Does nginx suffer from poor scalability? (0, Insightful)

Anonymous Coward | about 9 months ago | (#45628817)

Are you kidding me? Nginx is the second most used web-server. You might see more nginx errors because it's used more than practically everything else.

Nginx outperforms pretty much all other servers. As usual the errors are a result of poor admin skills.

You don't know what you're talking about. (0)

Anonymous Coward | about 9 months ago | (#45628891)

Everybody, please disregard with that idiot says in comment #45628817.

nginx is NOT the "second most used web-server". For crying out loud, son, EVEN NETCRAFT CONFIRMS YOU'RE WRONG! Just look at their December 2013 web server survey results [netcraft.com] . It is just barely in third place, well, well below Apache, and even well below IIS. nginx isn't even seeing the growth it used to have, and has in fact even been losing marketshare now and then over the past year.

Being wrong on a basic fact like that means you're even more wrong on all of your other claims. Even though nginx's use is a small fraction of Apache's or IIS's, we essentially NEVER see errors like this from them. But we see it ALL THE TIME when it comes to nginx.

There isn't something magical about Apache or IIS admins. In fact, there's a much greater proportion of them who are bad as compared to nginx admins, given how much more Apache is used than nginx. So we should be seeing many more errors when using sites served by Apache and IIS, according to your misguided and wrong-headed logic. YET WE DON'T!

Currently, 44% of web servers are running Apache. 24% are running IIS. Only 14% are running nginx. There are THREE TIMES AS MANY websites using Apache as there are using nginx. No matter how you try to spin it, we don't see three times as many errors from sites running Apache. We see completely the opposite! We see one or no sites giving errors when using Apache, in the same time period that we've seen five or maybe even ten instances of those errors from sites running on nginx.

You're going to need to try again if you want to try to convince us that nginx isn't at fault somehow. All of the evidence is not in its favor.

Why is that 3, Insightful? (0)

Anonymous Coward | about 9 months ago | (#45629913)

Why is that +3, Insightful? ngnix is a great web server, but it is not the second most-used web server. Apache and IIS are clearly the top two. nginx isn't anywhere near even IIS, which isn't anywhere near Apache.

Re:Why is that 3, Insightful? (0)

Anonymous Coward | about 9 months ago | (#45631979)

OP probably wanted to forget that there are retards using Windows as a server platform.
Whenever there is a problem, Nginx shows you 500 errors, IIS shows you a remote desktop with regedit.exe on.

Re:Does nginx suffer from poor scalability? (1)

foobar bazbot (3352433) | about 9 months ago | (#45630805)

I don't know much about nginx, but any time I hear about it it's usually because of an error message like that.

Even though it isn't used nearly as much as Apache is, I must see an nginx error page like that at least two or three times a month. I can't say the same for Apache, or IIS, or Lighttpd, or any other major web server these days.

This means the opposite of what you seem to think.

Does nginx just suffer from really bad scalability under any sort of significant load? Is poor scalability and load tolerance the reason why it starts giving 500 Internal Server Error responses and error pages like that so commonly?

Short answer: No.

Nginx is very commonly used as a reverse proxy [wikipedia.org] (for caching, encryption, load balancing, etc.) in front of another web server (might be another nginx instance, but it's commonly some other, more popular web server, nudge-nudge-wink-say-no-more). When the proxied web server doesn't respond in time, the proxying nginx returns a "500 Internal Server Error". While this isn't the only reason for a 500, it's far the most common from nginx.

So when you see that error, it doesn't mean the nginx instance that gives you the error fell over, it almost always means that nginx instance is doing fine, but some other web server (which could also be nginx, but is most likely not nginx) fell over.

Re:Breaking: DARPA under DDOS attack (0, Troll)

Anonymous Coward | about 9 months ago | (#45628643)

1.4.1? As in, still vulnerable to CVE-2013-4547? Now that's ironic.

Seriously, this whole thing stinks. Think about it for a moment. What is this programme FOR?

That's right. Now, why would we work for free for the internet's greatest enemy, the Nation State Adversary? We don't just want to find software flaws, we want to FIX them. They want to find them so they can not fix them, but instead keep them secret and try to turn them into weapons, leaving everybody vulnerable.

They're black-hats. So I'm sorry, but fuck DARPA and the horse they rode in on. Yes, I know their legacy, and history, and that the internet would not even have existed were it not for them - but this is the poison the NSA's actions has left behind; this is the trust they have burned; the integrity they might never reclaim. The NSA have by their past and continued actions and intent profoundly and almost irrevocably damaged the national security and economic interests of the United States of America. So don't start waving this shit around like it's a fun little videogame when you're helping them fuzz for bugs they're going to use to spy on everyone. I'm insulted.

How does it work? (1)

sideslash (1865434) | about 9 months ago | (#45628949)

I actually clicked the link and read the brief writeup. Too lazy to go further, and hoping somebody can tell me this:

How can you make a game out of this? It seems to me that the game can tell when the user wins/loses, then there's no reason to create the game at all -- just make the win/lose logic do the error checking directly. So what's the point of the game?

Or is it the case that their games are not able to tell you when you win or lose, and the player has to determine that himself or herself? That would make sense to me, but seems like it would be really hard to make "fun" for the masses.

Re:How does it work? (3, Interesting)

Lewisham (239493) | about 9 months ago | (#45629693)

I worked on Xylem when I was a grad student at UCSC. I was not on the team when it launched, so my info may be out of date.

What players are being asked to do is find loop invariants for code. The invariants are hard for a computer to come up with (and be useful), but are easier to check given certain bounds. So there is no predetermined win state, each answer is checked server-side to see if it holds up within the bounds (or, if the answer is already known, the cache hit is returned). If the invariant is complex and holds, it gets scored highly. If it's trivial and holds, it gets a lower score. If it doesn't hold, the instance where it doesn't hold is returned to the player.

Does this help?

Re:How does it work? (1)

drinkypoo (153816) | about 9 months ago | (#45630117)

Does this help?

It doesn't help explain how it might be fun for the masses... I would just try playing it, but uh nope. Not for the government. Maybe I'd have played it just hosted at UCSC, running against some useful-to-me code.

Re:How does it work? (3, Insightful)

Lewisham (239493) | about 9 months ago | (#45630145)

DARPA funded the project, and DARPA fund lots of projects. I think a debate about whether DARPA is good or bad is pretty out-of-scope for this particular work: we made a game that might show how software verification could be crowdsourced.

The games do try to be fun, that's why none of them are "look at this loop and write an invariant". Xylem dresses up the problem statement as logic puzzles that surround the growth of exotic plants. I don't have an iPad to play the final version of Xylem on, but we tried hard to come up with a compelling game.

I don't believe the expected player base really cares about whether the project was funded by DARPA or not. I understand if you don't, but I think you would also have to stop using the Internet if you have such an issue with DARPA funded projects :)

Re:How does it work? (1)

neminem (561346) | about 9 months ago | (#45645575)

Perhaps you haven't taken an algorithms class, or you've forgotten it, but go look up NP-Complete problems (you've probably heard of them). I'm not an expert, and also lazy, so I have no idea whether these problems are NP-Complete or not, and I'm sure there are other similar classes of problems that aren't NP-Complete, too. Anyway, the idea is, there are large numbers of computational problems that are astronomically difficult to find solutions to an instance of, but given a potential solution to an instance, it's easy to determine whether the solution is valid. Presumably the problems modeled by these games are among such. You make a move, it checks whether it's a winning one. It doesn't have to check *every* move, only the one you just made.

Re:How does it work? (1)

sideslash (1865434) | about 9 months ago | (#45646819)

Well, OK, but actually it turns out that computers are really well suited to finding "good enough" solutions to NP-Complete problems such as traveling salesman and real world equivalents like optimized circuit printing. So to my mind you still haven't described a situation where crowdsourcing with wetware can improve on a targeted silicon approach.

Doesn't work (0)

Anonymous Coward | about 9 months ago | (#45628957)

I tried two of the games and they didn't work. I use Firefox without Adobe Flash or Oracle Java on Linux.

Re:Doesn't work (1)

eyenot (102141) | about 9 months ago | (#45630307)

The games rely on varying layers of compromised or compromiseable browser attachments and plugins. If you are concerned about your system security, then they definitely aren't the games for you. Requirements range from Adobe Flash to Unity Engine.

Hacker games written for Flash and Unity 3D (0)

Anonymous Coward | about 9 months ago | (#45628967)

I find it funny. (I didn't play any of the games because my computer doesn't have either)

Nothing Fun At All (0)

Anonymous Coward | about 9 months ago | (#45628977)

If you've tried playing any of those "games" then you'd know they are not fun at all. Just a big fail.

Re:Nothing Fun At All (3, Insightful)

J Story (30227) | about 9 months ago | (#45629569)

If you've tried playing any of those "games" then you'd know they are not fun at all. Just a big fail.

I agree that the one "game" I played didn't keep me enthralled once the novelty wore off, but it seems to me that there is the *seed* of something that could be fun, for given definitions of "fun". For example, suppose that these games were games-within-a-game, which one could play to win points or "gold" to use in the larger game. Consider it a form of grinding.

Broken: it's dependent on some proprietary plug-in (0)

Anonymous Coward | about 9 months ago | (#45629001)

I'm amazed that companies are still developing these plug-ins. NOBODY WANTS YOUR DAMM PLUG-IN!

We need a campaign against proprietary OS exclusive plug-ins.

Single page version of the article (2)

Fnord666 (889225) | about 9 months ago | (#45629095)

Here's a link [networkworld.com] to a single page version of the article.

It's already been done, on TV... (0)

Anonymous Coward | about 9 months ago | (#45629105)

Stargate: Universe

Well ....... excellent idea for Linux Kernel (0)

Anonymous Coward | about 9 months ago | (#45629119)

Well ....... now you have excellent idea for Open source community - Build game to search for bugs in Linux Kernel. Why not ?
Idea is not new though. It been used to in research, remember reading about protein folding game in /. before.

Re:Well ....... excellent idea for Linux Kernel (2)

AndrewBuck (1120597) | about 9 months ago | (#45634249)

The game you are referring to is Foldit. http://fold.it/portal/ [fold.it] I played it a bit back when it came out and it was an interesting game. It has even been used to find some protein folding solutions that had previously stumped the existing tools used to look for solutions. It doesn't beat the traditional science in every instance (or probably even that many) but having an extra tool in the toolbox never hurts, especially when it is a tool that can be used by thousansds of players with time to kill instead of a handful of highly trained specialists with very limited time.

I think this is a really interesting idea. A poster above who was a grad student who worked on an earlier version of this game pointed out that the goal of these was to find loop invariants in the software (basically a proof by induction that a loop does what you think it does).

With the recent revelations about the NSA backdooring common encryption code I have wanted people to work on something like this to try to 'prove' various software does what it says on the box (PGP, linux kernel, tor, etc). I am glad to hear that there is research being done in this area and hope it succeeds and gets applied to some of the important open source software in use today. Let the unwashed masses do most of the grunt work proving the simple bits like loop invariants and use that to free up the specialist developers to look at the rest of the program.

-AndrewBuck

It's decent (3, Funny)

eyenot (102141) | about 9 months ago | (#45629269)

These puzzles are definitely interesting. I had a chance to get on and play the preliminaries of the pipe game about two hours ago from a college terminal. I get home to continue my "work" and the site is 505'd. I'm guessing it may have been simply slashdotted. If that's the case, then I've lost a bit of confidence in the project.

It sort of reminds me of that scene in "Sneakers" when the guys roll by to get the box back from the "NSA", and the building is being torn down. Which raises the question, if I can imagine using a site to quickly test a population sample's IQ and then to run like heck with the results, then is there a feasible reason to do so?

Sure (1)

PopeRatzo (965947) | about 9 months ago | (#45629467)

Next they're gonna make a game out of finding out who's going to those demonstrations and protests.

That one will be a blast. I'm sure there are lots of techies who will gladly play that game.

Or maybe a game where you get to control a mech and use a nerve agent on the protesters.

Re:Sure (1)

Anonymous Coward | about 9 months ago | (#45629591)

Maybe for background music they can get it to play "Kill the Boer".

fixing or exploiting? (0)

Anonymous Coward | about 9 months ago | (#45629537)

I read the summary and I had no idea whether this was for fixing or exploiting bugs.

assange was right o.O (0, Informative)

Anonymous Coward | about 9 months ago | (#45629609)

When I read that Manning and Assange were talking about a conspiracy by the U.S. government to use video gamers to help do free work I didn't believe it.

http://arstechnica.com/tech-policy/2013/12/army-releases-2010-chat-log-between-manning-and-assange/

(2010-03-10 06:06:06) pressassociation: lt's as old as lipstick and the guitar of course, but mmorpg are evil in a whole new way
(2010-03-10 06:06:39) dawgnetwork: voluntary matrix-style society?
(2010-03-10 06:06:46) pressassociation: yes
(2010-03-10 06:07:08) dawgnetwork: hmm
(2010-03-10 06:07:25) pressassociation: might be ok in the end
(2010-03-10 06:07:53) pressassociation: mmorpg's that have long term users are incentivised to keep them profitable
(2010 03 10 06:08:59) pressassociation: but l imagine they'll merge into hybrid revenue modes, where congnitive tasks and freelabor are done using sense deception incentives
(2010-03-10 06:09:48) dawgnetwork: like the “video games:” from toys?
(2010-03-10 06:10:12) pressassociation: haven't seen that
(2010-03-10 06:10:34) pressassociation: but it sure isn't a decade to be a gullible idiot :)

Government websites (1)

Gary Perkins (1518751) | about 9 months ago | (#45629651)

When is the government going to learn to fully test their sites before going public? I heard the user side of healthcare.gov is operational, so I went to check it out this morning. I create an account, get sent a verification email. I open the email using SeaMonkey's email client, and it's blank. I look at the raw source of the email, and the message content has a "Base64 decode error". Nowhere on the site is an option to resend, only a phone number to call (f*ck that). On a hunch, I do something I shouldn't be able to do, and create a second account with the same email address. It works (?!), and I receive a second email...with the same issue. Anyhow... I bring it up, because I go to check out this hot new site, and it's down with an internal server error. LOL

Re:Government websites (1)

Gary Perkins (1518751) | about 9 months ago | (#45629667)

Oh yeah, I also cut and pasted the verification link from the borked email (how many users would think to look at the raw source?), and healthcare.gov refused to verify using their own code they sent. WTF?

For the love of god (0)

Anonymous Coward | about 9 months ago | (#45629735)

Please tell me this is not another pay-2-win game.

OldSpeak translation (1)

ops2048 (3002301) | about 9 months ago | (#45630155)

Translation - The NSA needs to find better ways to find more vulnerabilities so that they can compromise more targets more quickly. Idiots deserve to lose their freedom.

It's crap. Don't give them any of your free time. (1)

eyenot (102141) | about 9 months ago | (#45630245)

I gave it a thorough testing today. Granted, it's still all in BETA stage. But I'm not griping about the stupid bugs.

The whole thing sucks. The five different games are basically five different kinds of problems. There's organic chemistry, atomic chemistry, programming logic, and I didn't play the other two games but they appear to be shrouded versions of real life n-body or other computational problems.

So here's the deal. This shit takes a long time. These games get very complex very quickly. I can see myself playing one game a day, maybe an hour at it. The programming logic game works for that, it doesn't take an hour to solve their largest BETA puzzles. By the way, they don't have real actual DARPA programming troubles being made into puzzles just yet. The puzzles there are static and are meant to test the system and see what user feedback is generated.

But then you go into the folding prion game, and it sucks. The tutorial is incomplete and it's a total side-swipe at Scientology. Why the fuck would you actively seek to alienate Scientologists from your defense industry website? That's stupid as hell. They shouldn't be trying to offend anybody, period, let alone Scientologists.

And the folding prion problem has to run some kind of simulation or something in the background when you choose to eliminate molecular pathways (in the guise of more or less Dianetic engrams). And the wait times can be several minutes. And the combinations of splitting molecular bonds and removing molecular pathways quickly arrives at exponentially large numbers. And you apparently have to get them done in the right order. So you could, yes, spend two hours at one problem and not arrive at a solution. How the hell is that a game?

Furthermore, the time you just spent and/or wasted on the "game" was shrouded in the mysteries of some stupid, silicon-valley wank mythology that was made up from the seat of their ass. So you don't learn anything factual about things like prion folding or variable bit widths or stack leaks or whatever. No, you just learn some made-up Californian crap about "the storms that devastated Aeryth" or "Gee these plugs and gizmos aren't hooking together correctly, get the thingamabobbers all the same color for the point!"

So what are you doing? Wasting your time ten-fold. Don't do it. Fuck these people. It seems like a good premise but they obviously handed the work off to the entirely wrong group of people.

The only people this will be interesting to is disabled children who have real difficulties socializing out of doors and who spend inordinate amounts of time chair-bound in front of the computer, or autistic people, or absolute 100% genuine geeks who are totally oblivious to things like the value of time well spent or what the meaning of "quixotic" is.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>