This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
13th International Conference on Software Maintenance (ICSM'97)
Low-threat security patches and tools
Bari, ITALY
October 01-October 03
ISBN: 0-8186-8013-X
M.A. Bashar, Dept. of Comput. Sci., Purdue Univ., West Lafayette, IN, USA
G. Krishnan, Dept. of Comput. Sci., Purdue Univ., West Lafayette, IN, USA
M.G. Kuhn, Dept. of Comput. Sci., Purdue Univ., West Lafayette, IN, USA
E.H. Spafford, Dept. of Comput. Sci., Purdue Univ., West Lafayette, IN, USA
S.S. Wagstaff, Jr., Dept. of Comput. Sci., Purdue Univ., West Lafayette, IN, USA
We consider the problem of distributing potentially dangerous information to a number of competing parties. As a prime example, we focus on the issue of distributing security patches to software. These patches implicitly contain vulnerability information that may be abused to jeopardize the security of other systems. When a vendor supplies a binary program patch, different users may receive it at different times. The differential application times of the patch create a window of vulnerability until all users have installed the patch. An abuser might analyze the binary patch before others install it. Armed with this information, he might be able to abuse another user's machine. A related situation occurs in the deployment of security tools. However, many tools will necessarily encode vulnerability information or explicit information about security "localisms". This information may be reverse-engineered and used against systems. We discuss several ways in which security patches and tools may be made safer. Among these are: customizing patches to apply to only one machine; disguising patches to hinder their interpretation; synchronizing patch distribution to shrink the window of vulnerability; applying patches automatically; and using cryptoprocessors with enciphered operating systems. We conclude with some observations on the utility and effectiveness of these methods.
Index Terms:
security of data; low-threat security patches; security tools; dangerous information; vulnerability information; software vendor; binary program patch; differential application times; reverse engineering; customization; synchronization; cryptoprocessors; enciphered operating systems
Citation:
M.A. Bashar, G. Krishnan, M.G. Kuhn, E.H. Spafford, S.S. Wagstaff, Jr., "Low-threat security patches and tools," icsm, pp.306, 13th International Conference on Software Maintenance (ICSM'97), 1997
Usage of this product signifies your acceptance of the Terms of Use.