ASan and Beyond: Harnessing the Potential of the Masses to Fight Cybercrime
ASan, or AddressSanitizer, is an open source tool created by Google to find memory corruption bugs. Lots of projects, including Chromium and Firefox use it to find bugs such as use-after-free, use-after-return and use-after-scope as well as various overflows. It gives developers highly actionable insights into code violations, such as when and where bugs exist and allows them to fix them faster and with greater accuracy than without it.
Now the good people at Mozilla, the ones behind the non-profit Firefox browser, are bringing the power of ASan to the masses. Combining the popular development concept of nightly testing and ASan, they have announced a custom ASan nightly build of the browser. Via a special add-on, the build is capable of automatically collecting crash reports and sends them back to Mozilla to locate browser bugs in the wild before they cause any real havoc. These are bugs that can be exploited and turned into remote code execution if they aren’t caught earlier on so these reports hold very valuable information.
The interesting part here is that as long as a user is working on a Linux machine (versions for Windows and Mac are in the works, too), anyone who wants can sign up to be a bug reporter. When bugs are found, the reporter (who doesn’t have to do any actual work; it’s all collected and sent back to Mozilla automatically) gets a bug bounty reward—in cash. There is slight decrease in end user speed but the promise of cash is enough to make up for it.
Participants of similar (although not automated) bug bounty programs are generally security enthusiasts or researchers. Mozilla is putting a bit of a spin on it, asking all who care about making the internet a safer place (and want to make some extra dough) to be a part of the DevSec process.
This may sound a bit risky—certainly, involving non-professionals in highly technical processes may very well end badly. However, with so many threats out there today, there just aren’t enough professionals to deal with them. Getting these people on the cybersecurity bandwagon may just be the only answer to containing the deluge of threats today.
Before you counter that it’s crazy to allow non-professionals to get involved, consider Blockchains, which are immutable because anyone with a node can view them. The ledger on which transactions are written isn’t holed up by one keeper; it’s available for anyone who cares to view it. And therein lies its strength.
Involving the public has worked in to some degree in the physical security arena; authorities often ask the public for any information they may have regarding crimes. This makes sense: Only people who actually care about the cause at hand are going to offer help.
Beta Testing 2.0
The concept also bears similarities to classic beta testing—or, recruiting volunteers to try out software once it’s complete but not necessarily ready for prime time. Beta testing has been a core part of the software development process for years, critical to helping developers massage out last-minute bugs—before they cause damage to the end user and/or company reputation. Beta testers report back any apparent bugs, crashes, anomalies or design flaws. Once developers have tackled all those issues, the program is ready for wide release.
Mozilla’s ASan program is just a really smart mashup of these two ideas. Let’s face it, voluntarily beta testing a new browser build sounds nice, but people are motivated by incentives. Offering a cash reward draws in more testers, which means more bugs are located faster, thus making the browser far more secure than it would have been, had they just relied on finding a handful of beta testers. So one important takeaway is that shelling out some extra bucks gets more eyes on your software and helps iron out the kinks faster.
But what really excites me here is the idea of getting non-security folks involved with making the internet a safer, less vulnerable place—even if it’s just to get the bounty prize.
Enhancing Security Awareness, One Payout at a Time
As with a great deal of technology, the security arena has always been an elitist club, with a high barrier to entry when it comes to learning about the topic, forget about getting involved in it. Though this makes sense from the technological standpoint, it’s detrimental for everyone. Just like a patient must actually care about her own health to stay alive, non-technical people need to care about their own digital health to stay safe. When security is shrouded in its own world, with its own complicated jargon, it’s hard to get the public to care all that much—even when their own digital health is at stake.
Via incentives, the ASan nightly build program is getting regular people take a more active role in the collective digital good. One needn’t be super tech-y/geeky or even know anything much about computers to make the internet more secure. It’s harnessing the power of the individual to make the internet a safer place—regardless of who that individual may or may not be.
Just as beta testing with regular end users has become a normal procedure, I want to see more involvement in security from non-technical people. I’m hoping that more companies will follow Mozilla’s lead and allow non-technical people to become a part of the security process. You might worry that these non-techies might break something or wreck the program somehow—but as we see with the Firefox project, it can be developed in such a way that it wouldn’t incur any damage.
The worst case scenario is that a tester would just be “in it for the money” and thus remain uninterested in bettering his or her own digital security. The best case scenario? They could fall in love with security and get more deeply involved. But the middle ground is what I’m really excited about. True, these new reporters/testers might not start espousing their new found adoration for all things security related, but the involvement (even if due to incentives) would get the wheels in their head turning. If this were to become a widespread practice, I think there would be a shift wherein more people would become aware and take an active approach to security.
Is this a pipe dream? Could be.
But if Mozilla can be bold enough to start a program like this, there’s no reason other companies can’t. There will be logistics to work out but the end result will be a faster software verification process and more aware masses.
