Verigames lets gamers carry some of the load of software security
- By Kevin McCaney
- May 28, 2015
It turns out you actually can improve the security of software by making a game of it.
In December 2013, the Defense Advanced Research Projects Agency launched a Web portal called Verigames that offered five free online games with titles like “Ghost Map,” “Flow Jam,” and “Xylem.” The idea was to have games that were fun to play while simultaneously mimicking the otherwise time-consuming software verification process traditionally used to weed out software bugs.
The result: hundreds of thousands of annotations in common software programming languages that help engineers check the software. Another result: a new set of games intended to help DARPA see how much more it can get from crowdsourcing software security.
“We're excited by these results and are encouraging the public to play our new games over the next few weeks so we can see just how far this approach may go,” program manager Michael Hsieh said in a DARPA release.
The agency launched Verigames, part of its Crowd Sourced Formal Verification (CSFV) program, because the growth of new software programs in recent years has outpaced verification efforts. Verification is a software engineering process to ensure software is free of flaws (and thus easy vulnerabilities to hackers), but it is a painstaking process that doesn’t scale to the pace and size of some commercial software. “There are simply not enough experts to provide manual analysis on the scale required to support formal verification of the countless software systems launched every day,” Hsieh said.
DARPA said most software will have one to five flaws per thousand lines of code. So with Verigames, agency researchers translated the mathematical techniques involved in software verification into puzzle games, then interpreted players’ actions into program annotations that helped experts determine if the software was free of significant classes of flaws. The first round of games generated hundreds of thousands of those notations on software written in the popular C and Java programming languages.
The new set of games is designed to be both more playable and more effective in finding flaws, DARPA said. The games are:
Dynamakr, which asks players to energize mysterious patterns in a cosmic puzzle machine.
Paradox, in which players use an array of tools to optimize vast networks.
Ghost Map Hyperspace, in which players battle alien invaders and seal off their hyperspace rifts.
Monster Proof, which asks players to explore a kingdom of monsters and solve puzzles to get rich.
Binary Fission, an atom-splitting game that asks players to mix and match quarks in the name of cybersecurity.
Beyond software verification, DARPA said Verigames also lets it explore the potential for crowdsourcing to solve other software problems.
Kevin McCaney is a former editor of Defense Systems and GCN.