Bug-finding software can determine if there are potential vulnerabilities in computer programs, but there is no way to figure out how many go unnoticed. Researchers at the New York University Tandon School of Engineering collaborated with the MIT Lincoln Laboratory and Northeastern University to take a new approach to this problem.
The technique intentionally adds vulnerabilities to a program’s source code to determine how good bug-finding tools actually are. Developers can use this information to then improve the tools and increase the amount of vulnerabilities detected. This technique is called Large-Scale Automated Vulnerability Addition (LAVA), and one of its co-creators is Brendan Dolan-Gavitt, an assistant professor of computer science and engineering at NYU Tandon.
The bug-finding programs are based on two metrics, according to him: “the false positive rate and the false negative rate, both of which are notoriously difficult to calculate,” he said. Without truly knowing how many bugs there are, it is hard to determine how well the bug-finding tools perform.
With LAVA, “the automated system inserts known quantities of novel vulnerabilities that are synthetic yet possess many of the same attributes as computer bugs in the wild,” according to an Dolan-Gavitt.
The researchers plan to share their results to help developers with their bug-finding efforts. The team also plans on launching an open competition where developers can use a LAVA-based version of the software to find bugs.
Nike open-sources software on GitHub
Nike last week released open-source software on GitHub, publishing three open-source projects such as a JSON parsing framework, a distributed tracing solution for Java, and a lightweight logging library in Swift.
All of these projects have recently been updated, according to Nike’s GitHub page. While it might seem like Nike wants to join other companies trying to make it in the tech world, it could also be a way to better its brand image.
Developers can find all the repositories here.
Google rumor: New Android Wear devices
Android Police was informed by a “reliable” Google source that the company is building two Android Wear devices. One will be sportier and feature LTE, GPS and heart-rate monitoring capabilities, and the other will be smaller and lack those capabilities.
Android Police is rating this rumor a nine out of 10, meaning it is confident that Google is in fact prototyping these Wear devices. Both watches have a circular display, and the first watch is believed to be codenamed Angelfish. It resembles the current Moto 360 and LG’s Urbane 2nd Edition LTE.
The smaller watch is codenamed Swordfish, and it has a basic shape to the Pebble Time Round, minus the big screen bezel.