SOURCE CODE AUDITING TECHNIQUES
Source code auditing is rapidly becoming a standard practice employed to identify and fix early stage security vulnerabilities. The goal of this procedure is to minimize the cost of fixing security holes by identifying problems and rectifying them before the software is deployed.
We have been delivering source code auditing services to our customers since 1996. And as a way to improve this important practice, the CoreLabs team is studying backdoors, exploitable vulnerabilities that are intentionally hidden by an attacker during development (e.g., an insider) in order to exploit them at a later time. They represent one of the most dangerous vulnerability classes because they are more difficult to find than traditional vulnerabilities. We help prevent these attacks by reproducing the attacker techniques and developing the skills necessary for identifying backdoors before they become security compromises. Furthermore, our team possesses a deep understanding of the complexity of the auditing process and we are continually discovering new ways to improve the source code auditing practice.
To help facilitate research on the topic, CoreLabs sponsors a "bugdoor-hiding contest." The contest consists of a multi-player game, which is played in two stages. In stage one, players develop a simple software program that executes a predetermined functionality, but they must intentionally hide an exploitable bug in the code. In stage two, players review the source code of all other participants' programs as well as a placebo program that is bug-free. They then vote for which program they believe to be the placebo. The bugdoor program that receives the most votes wins.