Software developers today are cautious to not include bugs in their code for security. The reason being that these bugs end up being the center of vulnerabilities that can compromise a program, computer, or network. These vulnerabilities are the foundation of exploits malicious actors create. Creation of these exploits allow for the exploit developer to move further down the cyber-kill chain, keeping their access until the vulnerabilities are patched out. This process of exploitation functions in a loop: the attacker finds a bug in a codebase, the attacker exploits the bug, the software developer finds the point in the codebase they are exploiting, the developer patches out the vulnerability, and the attacker starts looking for new vulnerabilities.
The goal of this research is to deter vulnerability weaponization as a means for greater security. Normally, this means introducing patches for known bugs. However, this project aims to create fake, non-exploitable, bugs that appear as real vulnerabilities, and then introducing them into a codebase for greater security. This practice is a means of wasting the exploit authors resources during reconnaissance and weaponization phases of the cyber kill chain. These bugs functions as a deterrent, hiding any real vulnerable code with fake vulnerabilities. This creates a needle in the haystack problem for an exploit author, decreasing time to develop an exploit and increasing time for software developers to create patches for the real vulnerabilities, further increasing security. It also deters exploit authors looking for a quick way to break a program for their own benefit.
This is a metadata-only record.
Computer Science & Information Systems
- Event location
- Event date
25 March 2022
- Date submitted
20 July 2022
- Additional information