Wild to just see a bunch of people I follow disappear. If I hadn't seen the note from the admin I'd have no way of knowing lol.

"Do Users Write More Insecure Code with AI Assistants?
Overall, we find that participants who had access to an AI assistant based on OpenAI's codex-davinci-002 model wrote significantly less secure code than those without access. Additionally, participants with access to an AI assistant were more likely to believe they wrote secure code than those without access to the AI assistant."
Vindication of a lot of gut feelings here
arxiv.org/abs/2211.03622

Had my compilers class try to break 133 different compilers, which just wrapped up.

types.pl/@dvanhorn/10930589547

OK first, this was fun and I recommend it.

The assignment was to write input programs that would be run on the collection of compilers submitted from the *previous* assignment. If results differed from a reference interpreter, that compiler was considered broken. The goal was to break as many things as possible.

The learning objective here was to learn how to read an informal spec and write test cases that are likely to exercise bugs. I think that worked. For many students it was clear they hadn't done this kind of task before and didn't really know where to start, which was surprising to me.

Students very quickly (like in hours) found overspecifications in the behavior of the interpreter and used it to "win", but I was able to adjust the interpreter and after the first day, that kind of exploit went away.

Many students did what I expected: they wrote small tests based on the assignment spec that broke a good chunk of the compilers. With some effort, they could get ~70-80 of the 133 compilers this way.

A few students wrote tests *not* guided by the assignment spec, but instead just wrote small examples drawn from the whole language. They found bugs in the starter code that was given to students, and thereby knocked out all 133 compilers.

One student found a bug in the parser which in two characters broke all the compilers!

Another student found a bug in the run-time system which read some memory as a uint, when it should've been int.

I look forward to refining and iterating on this in the future.

Only feature I'm really missing from Twitter is circles.

I'm gonna keep posting this until one of you fucking boosts it

Trying to get back into CTFs. Want to actually good at exploit writing.

types.pl

A Mastodon instance for programming language theorists and mathematicians. Or just anyone who wants to hang out.