Scientist discovered a vulnerability in the universal Turing machine

vulnerability in the universal Turing machine

Pontus Johnson, a professor at the Royal Institute of Technology in Stockholm, discovered a vulnerability in the universal Turing machine.

A Turing machine is an abstract executor (abstract computing machine). It was proposed by the English mathematician Alan Turing in 1936 to formalize the concept of an algorithm. A universal Turing machine is a Turing machine that can replace any Turing machine. As a rule, this term means a computer’s most straightforward, abstract model.

The vulnerability (CVE-2021-32471) exists due to the lack of an input validation mechanism. With its help, Johnson managed to run an arbitrary code on the so-called Minsky machine using specially configured data.

А well-established implementation of the universal Turing machine is vulnerable to both unintentional and non-trivial forms of arbitrary code execution. The article proceeds in the next section with a background arbitrary code execution. Pontus Johnson reports.

As Pontus noted, the vulnerability cannot be exploited in real attack scenarios since it affects the Minsky machine (or the so-called register machine) – a multi-tape Turing machine, introduced in 1967 by the co-founder of the University of Massachusetts Artificial Intelligence Laboratory, Marvin Minsky, and is the most straightforward computer.

Although the vulnerability has no use in the modern world, Johnson said, it raises an important question – at what stage can security features be implemented in the creation of a computer?

As the scientist noted, many experts believe that security should be considered at the very early stages of creating a computer. However, this approach is inapplicable to the Minsky machine since all possible safety functions will be add-ons, and it is impossible to include them in the device itself.

Johnson said his research demonstrates that even the most straightforward computer is still vulnerable, and security cannot always be built-in.

By submitting crafted input data, an attacker can coerce the machine into executing arbitrary instructions. While this vulnerability has no real-world implications, we discuss whether it indicates an intrinsic propensity for arbitrary code execution vulnerabilities in computers.Professor Pontus Johnson concludes

Let me remind you that I also talked about the Perfect encryption system presented by team of scientists from three countries.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

1 comment

  1. When I’d read about this on ArXiv, I didn’t know it had a CVE assigned to it. That’s hilarious

Leave a comment

Your email address will not be published. Required fields are marked *