Automating the search for loopholes in software
“SET a thief to catch a thief.” Security-conscious companies, from banks to newspapers, often hire, if not thieves, then the analogues of thieves, to test their computer systems for weaknesses. These professional hackers, called penetration testers, poke and prod at their clients’ systems. If they find a way in, they inform the client, who can then fix the problem. Penetration testing, though, is expensive—for the skills required to be a good tester are rare. That is why a French firm called Cryptosense is hoping to automate the job.
One part of ensuring that a program is secure is checking that it is free of bugs and that it responds to odd or malformed sequences of commands without spilling any of the secrets it is meant to be guarding. This is a big task. The number of combinations of commands that can be entered into a piece of software increases exponentially as it gets more complicated. And many firms modify programs they have bought off the shelf, inadvertently introducing new bugs as they do so. It is thus no use relying on what a programmer has told you about how his code works.
Cryptosense’s penetrator, therefore, starts from scratch. First, it works its way through the list of commands that can be given to the program it is trying to subvert, in order to see how it responds. “At the end of that process it has two piles,” says Graham Steel, one of Cryptosense’s founders, “one where [the target program] did what it was supposed to do, and another pile full of error messages.” Armed with those experimental data, the virtual penetrator can work backwards, reconstructing a simulacrum of the target program whose behaviour, mistakes and all, matches reality.
Thus armed, it can begin trying to break things. Even with a computer rather than a human being doing the testing, an exhaustive search of all possible sequences of commands can be time-consuming. But the testing algorithm is smart enough, says Dr Steel, to give priority to those combinations most likely to prove fruitful. (Unsurprisingly, he will not disclose how exactly that is done.)
Even if Cryptosense’s automated hacker can find and plug all the holes in a particular piece of software, there will still be weak links. Software is used by people, and people can be tricked, threatened or charmed into spilling secrets. Also, what works for the good guys can work for the bad. If automatic hacking proves itself, there is nothing to prevent malicious hackers coming up with their own versions, and using those to scan for weaknesses.
Nevertheless, the prospect of automated security checks has already garnered Cryptosense several customers. Many of these are banks, which are frequent targets for hackers. Others operate in more esoteric settings. Security experts like to tell tales of “back doors” built into weapon systems, designed to allow their makers to disable them remotely. Cryptosense has found at least one flaw in a security module used in a modern weapon system which seems capable of doing just that.