IPad game's underlying mission: checking software code

"Xylem: The Code of Plants" was developed by SRI International and UC Santa Cruz. "Xylem: The Code of Plants" was developed by SRI International and UC Santa Cruz. Photo: SRI International Photo: SRI International Image 1 of / 3 Caption Close IPad game's underlying mission: checking software code 1 / 3 Back to Gallery

A new iPad game allows users to play botanist, cataloging plant life on the imaginary island of Miraflora by identifying patterns in flowers.

But working through the puzzles in "Xylem: The Code of Plants" does more than rack up points - it generates mathematical proofs that automatically analyze additional software for security vulnerabilities.

As more people play, more segments of code are verified - unlocking additional levels of the game. More interestingly, it also checks the code in unrelated software programs.

"The process finds a really solid proof that a particular piece of software doesn't have exposures or vulnerabilities," said John Murray, program director in the computer science laboratory at SRI International and principal investigator on the project.

The aim is to make software "more secure, more reliable and less vulnerable to failure," he said.

The Menlo Park research powerhouse developed the game in partnership with UC Santa Cruz, under the U.S. Defense Advanced Research Projects Agency's broader Crowd Sourced Formal Verification program. SRI on Monday will formally announce "Xylem," which is available for free along with four Web-based games developed by other institutions at www.verigames.com.

Chipping in

The goal of the CSFV initiative is to use the lure of games to harness collective ingenuity - getting many people to chip in to the tedious task of identifying digital vulnerabilities. It's increasingly critical to do this cheaply and efficiently, as more of our critical infrastructure moves online and cyber attacks become greater threats to national security and commerce.

Formal verification refers to the complicated process of analyzing software to detect exposures. Doing it well has traditionally required highly skilled engineers manually scanning software, a slow and expensive process.

The short supply of engineers frequently means this formal process isn't performed, or at least not adequately. Instead, vulnerabilities are patched as they become apparent (hence Microsoft's twice monthly "Patch Tuesday"), often after the damage is done.

"We're seeing if we can take really hard math problems and map them onto interesting, attractive puzzle games that online players will solve for fun," said Drew Dean, DARPA program manager, in a statement. "By leveraging players' intelligence and ingenuity on a broad scale, we hope to reduce security analysts' workloads and fundamentally improve the availability of formal verification."

Crowdsourcing test

The research arm of the Defense Department, which declined to comment beyond a press release, unveiled the CSFV program last week.

The games are designed to evaluate the potential for crowdsourcing formal verification. If the games work or can be improved upon, the techniques could eventually be applied to increasingly critical software, like medical systems, communications networks and maybe (given DARPA's interest) military programs.

The games only verify that code is secure or flag potential problems. Humans will still have to go in and fix any discovered flaws.

So how does "Xylem" work?

Essentially players slide around images of flowers, numbers and mathematical symbols to identify the relationship between the growth patterns of flowers on various plants.

For instance, if there are three red flowers on one branch and six purple ones on the other, the formula would be: "image of red flower" X 2 = "image of purple flower." The math starts out about this simple, but gets more complicated as the game proceeds.

What's happening behind the scenes gets tricky. But in basic terms, the number of flowers corresponds to variables within a bit of software, known as a loop. And the mathematical relationship among the flowers describes what is known as a loop invariant, which is used to verify that loop.

The invariant must be true going into and coming out of the loop, every time it's executed.

Got that? No? Well, that's kind of the point.

Game easier to explain

"It's a hard concept to get across even to computer science students," said Jim Whitehead, chair of computer science at UC Santa Cruz, in a statement. "By turning it into a game, it becomes something that an untrained person with basic math skills can do."

One unanswered question is how well this will all work in practice. But an equally important one is, how many people will play these games long enough to solve the hard problems?

CSFV doesn't mark the first time researchers have attempted to use game play and crowdsourcing to tackle difficult technical challenges. In 2008, researchers at the University of Washington released a game known as "Foldit" that challenged players to manipulate chains of amino acids into optimal shapes. Within several weeks, users had produced a model of a protein that could help design antiretroviral drugs to fight the spread of HIV, according to a 2011 study in the journal Nature Structural & Molecular Biology. That task had stumped scientists and computers for a decade.

But other so-called gamification techniques, like offering points, badges and leaderboards to motivate workers or get people to exercise more, have had mixed success. It turns out that the fact people like to play games doesn't mean that they like to play all games. And virtual rewards like badges aren't always enough to motivate people to work - especially if it starts to feel like work.

There are already thousands of video games competing for attention - and it's possible that crafting mathematical proofs might not prove as viscerally compelling as, say, slingshotting disgruntled birds at pigs.

But Murray says "Angry Birds" isn't the model.

"The parallel I like to draw is with the game sudoku," he said, since it underscores a market interest in tricky math games. Still, he acknowledged it might be difficult to attain that level of popularity.

"The puzzles we're presenting are rather more difficult and the question is, how enthusiastic will the player be over a period of days and weeks and months?"

See for yourself. "Xylem" is available in Apple's App Store.