DARPA’s online games crowdsource software security
- By Kevin McCaney
- Dec 04, 2013
Flaws in commercial software can cause serious problems if cyberattackers take advantage of them with their increasingly sophisticated bag of tricks. The Defense Advanced Research Projects Agency wants to see if it can speed up discovery of those flaws by making a game of it. Several games, in fact.
DARPA’s Crowd Sourced Formal Verification (CSFV) program has just launched its Verigames portal, which hosts five free online games designed to mimic the formal software verification process traditionally used to look for software bugs.
Verification, both dynamic and static, has proved to be the best way to determine if software free of flaws, but it requires software engineers to perform “mathematical theorem-proving techniques” that can be time-consuming, costly and unable to scale to the size of some of today’s commercial software, according to DARPA. With Verigames, the agency is testing whether untrained (and unpaid) users can verify the integrity of software more quickly and less expensively.
“We’re seeing if we can take really hard math problems and map them onto interesting, attractive puzzle games that online players will solve for fun,” Drew Dean, DARPA program manager, said in announcing the portal launch. “By leveraging players’ intelligence and ingenuity on a broad scale, we hope to reduce security analysts’ workloads and fundamentally improve the availability of formal verification.”
The games — called “Ghost Map,” “Flow Jam,” “CircuitBot,” “StormBound” and “Xylem” — take note of players’ actions and create mathematical proofs of them that can confirm that the software is free of certain flaws, DARPA said. The games can verify open-source software written in the C and Java programming languages.
The program’s games will be able to evolve with new software; an automated process developed by CSFV allows for new puzzles to be created for each math problem the program wants to review. If flaws are found, DARPA intends to apply swift notification and remediation steps.
DARPA says there are good reasons for this approach. Commercial software has one to five bugs per thousand lines of code, and that software could wind up running in Defense Department, civilian agency and commercial systems.
The agency said its goals include building a permanent community of gamers that, through play, will help improve software security. (Note: Because this qualifies as a DARPA research program, players must be 18 or older.)
Kevin McCaney is a former editor of Defense Systems and GCN.