Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Bug Software Games

DARPA Makes Finding Software Flaws Fun 46

alphadogg writes "The U.S. Department of Defense may have found a new way to scan millions of lines of software code for vulnerabilities: by turning the practice into a set of video games and puzzles and having volunteers do the work. Having gamers identify potentially problematic chunks of code could help lower the work load of trained vulnerability analysts by 'an order of magnitude or more,' said John Murray, a program director in SRI International's computer science laboratory who helped create one of the games, called Xylem. DARPA has set up a site, called Verigames, that offers five free games that can be played online or, in Xylem's case, on an Apple iPad."
This discussion has been archived. No new comments can be posted.

DARPA Makes Finding Software Flaws Fun

Comments Filter:
  • by K. S. Kyosuke ( 729550 ) on Saturday December 07, 2013 @03:50PM (#45628253)
    Yeah, but when I exploit a buggy drone and fly it into your own units, the same DoD says "that's not funny". ;/ Make up your minds already!
  • by Anonymous Coward on Saturday December 07, 2013 @04:06PM (#45628367)

    Welcome null null ( Logout )

  • psDOOM anyone? (Score:3, Informative)

    by netpatriot ( 3456831 ) on Saturday December 07, 2013 @04:07PM (#45628377)
    not such a new idea: Doom as an Interface for Process Management: []
  • by MonkeyDancer ( 797523 ) on Saturday December 07, 2013 @04:11PM (#45628397)

    I'm disappointed they do not have the game 'Global Thermonuclear War'.

  • by tlambert ( 566799 ) on Saturday December 07, 2013 @04:39PM (#45628559)

    Finding bugs is ALWAYS fun!

    What's even more fun is that Tesla Roadster you were able to buy by selling the bugs you find to intelligence agencies, rather than reporting them to the vendor and being sued under the DMCA for reverse engineering their product.

  • I actually clicked the link and read the brief writeup. Too lazy to go further, and hoping somebody can tell me this:

    How can you make a game out of this? It seems to me that the game can tell when the user wins/loses, then there's no reason to create the game at all -- just make the win/lose logic do the error checking directly. So what's the point of the game?

    Or is it the case that their games are not able to tell you when you win or lose, and the player has to determine that himself or herself? Tha
    • Re:How does it work? (Score:4, Interesting)

      by Lewisham ( 239493 ) on Saturday December 07, 2013 @08:17PM (#45629693)

      I worked on Xylem when I was a grad student at UCSC. I was not on the team when it launched, so my info may be out of date.

      What players are being asked to do is find loop invariants for code. The invariants are hard for a computer to come up with (and be useful), but are easier to check given certain bounds. So there is no predetermined win state, each answer is checked server-side to see if it holds up within the bounds (or, if the answer is already known, the cache hit is returned). If the invariant is complex and holds, it gets scored highly. If it's trivial and holds, it gets a lower score. If it doesn't hold, the instance where it doesn't hold is returned to the player.

      Does this help?

      • Does this help?

        It doesn't help explain how it might be fun for the masses... I would just try playing it, but uh nope. Not for the government. Maybe I'd have played it just hosted at UCSC, running against some useful-to-me code.

        • by Lewisham ( 239493 ) on Saturday December 07, 2013 @09:47PM (#45630145)

          DARPA funded the project, and DARPA fund lots of projects. I think a debate about whether DARPA is good or bad is pretty out-of-scope for this particular work: we made a game that might show how software verification could be crowdsourced.

          The games do try to be fun, that's why none of them are "look at this loop and write an invariant". Xylem dresses up the problem statement as logic puzzles that surround the growth of exotic plants. I don't have an iPad to play the final version of Xylem on, but we tried hard to come up with a compelling game.

          I don't believe the expected player base really cares about whether the project was funded by DARPA or not. I understand if you don't, but I think you would also have to stop using the Internet if you have such an issue with DARPA funded projects :)

    • by neminem ( 561346 )

      Perhaps you haven't taken an algorithms class, or you've forgotten it, but go look up NP-Complete problems (you've probably heard of them). I'm not an expert, and also lazy, so I have no idea whether these problems are NP-Complete or not, and I'm sure there are other similar classes of problems that aren't NP-Complete, too. Anyway, the idea is, there are large numbers of computational problems that are astronomically difficult to find solutions to an instance of, but given a potential solution to an instanc

      • Well, OK, but actually it turns out that computers are really well suited to finding "good enough" solutions to NP-Complete problems such as traveling salesman and real world equivalents like optimized circuit printing. So to my mind you still haven't described a situation where crowdsourcing with wetware can improve on a targeted silicon approach.
  • by Fnord666 ( 889225 ) on Saturday December 07, 2013 @06:17PM (#45629095) Journal
    Here's a link [] to a single page version of the article.
  • It's decent (Score:4, Funny)

    by eyenot ( 102141 ) <> on Saturday December 07, 2013 @06:54PM (#45629269) Homepage

    These puzzles are definitely interesting. I had a chance to get on and play the preliminaries of the pipe game about two hours ago from a college terminal. I get home to continue my "work" and the site is 505'd. I'm guessing it may have been simply slashdotted. If that's the case, then I've lost a bit of confidence in the project.

    It sort of reminds me of that scene in "Sneakers" when the guys roll by to get the box back from the "NSA", and the building is being torn down. Which raises the question, if I can imagine using a site to quickly test a population sample's IQ and then to run like heck with the results, then is there a feasible reason to do so?

  • Next they're gonna make a game out of finding out who's going to those demonstrations and protests.

    That one will be a blast. I'm sure there are lots of techies who will gladly play that game.

    Or maybe a game where you get to control a mech and use a nerve agent on the protesters.

    • by Anonymous Coward

      Maybe for background music they can get it to play "Kill the Boer".

  • When is the government going to learn to fully test their sites before going public? I heard the user side of is operational, so I went to check it out this morning. I create an account, get sent a verification email. I open the email using SeaMonkey's email client, and it's blank. I look at the raw source of the email, and the message content has a "Base64 decode error". Nowhere on the site is an option to resend, only a phone number to call (f*ck that). On a hunch, I do something I sh
    • Oh yeah, I also cut and pasted the verification link from the borked email (how many users would think to look at the raw source?), and refused to verify using their own code they sent. WTF?
  • Translation - The NSA needs to find better ways to find more vulnerabilities so that they can compromise more targets more quickly. Idiots deserve to lose their freedom.
  • I gave it a thorough testing today. Granted, it's still all in BETA stage. But I'm not griping about the stupid bugs.

    The whole thing sucks. The five different games are basically five different kinds of problems. There's organic chemistry, atomic chemistry, programming logic, and I didn't play the other two games but they appear to be shrouded versions of real life n-body or other computational problems.

    So here's the deal. This shit takes a long time. These games get very complex very quickly. I can see mys

Pascal is not a high-level language. -- Steven Feiner