Abstract
Because software security patches contain information about vulnerabilities, they can be reverse engineered into exploits. Tools for doing this already exist. As a result, there is a race between hackers and end-users to obtain patches first. In this paper we present and evaluate FirePatch, an intrusion-tolerant dissemination mechanism that combines encryption, replication, and sandboxing such that end-users are able to win the security patch race.
This work is supported in part by the Research Council of Norway (IKT 2010 program), AFOSR, AFRL/IFSE, NSF, and Intel Corporation.
Please use the following format when citing this chapter: Johansen. HL, Johansen, D., and van Renesse, R., 2007, ir IFIP International Federation for Information Processing. Volume 232. New Approaches for Security, Privacy and Trust in Complex Environments, eds. Venter, H., Eloff, M., Lahusehagne, L., Eloff, J., von Sohns, R., (Boston: Springer), pp. 373–384.
Chapter PDF
Similar content being viewed by others
References
William A. Arbaugh, William L. Fithen, and John McHugh. Windows of Vulnerability: A case study analysis. IEEE Computer, 33(12):52–59, 2000.
Hilary K. Browne, William A. Arbaugh, John McHugh, and William L. Fithen. A trend analysis of exploitations. In Proc. of the 2001 IEEE Symp. on Security and Privacy, pages 214–229, 2001.
Miguel Castro, Peter Druschel, Anne-Marie Kermarrec, Animesh Nandi, Antony Rowstron, and Atul Singh. SplitStream: High-bandwidth multicast in cooperative environments. In Proc. of the 19th ACM Symp. on Operating Systems Principles, pages 298–313, 2003.
Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, and Paul Barham. Vigilante: End-to-end containment of Internet worms. In Proc. of the 20th ACM Symp. on Operating Systems Principles, pages 133–147, 2005.
Halvar Flake. Structural comparison of executable objects. In Proc. of the 2004 Conf. on Detection of Intrusions and Malware & Vulnerability Assessment, Lecture Notes in Informatics, pages 161–173, 2004.
Christos Gkantsidis, Thomas Karagiannis, Pablo Rodriguez, and Milan Vojnovic. Planet scale software updates. ACM SIGCOMM Computer Communication Review, 36(4):423–434, 2006.
Maya Haridasan and Robbert van Renesse. Defense against intrusion in a live streaming multicast system. In Proc. of the 6th IEEE Int. Conf. on Peer-to-Peer Computing, pages 185–192, 2006.
Håvard Johansen, André Allavena, and Robbert van Renesse. Fireflies: Scalable support for intrusion-tolerant network overlays. In Proc. of the 11th ACM Eurosys, pages 3–13, 2006.
Ashlesha Joshi, Samuel T. King, George W. Dunlap, and Peter M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proc. of the 20th ACM Symp. on Operating Systems Principles, pages 91–104, 2005.
Dejan Kostic, Adolfo Rodriguez, Jeannie Albrecht, and Amin Vahdat. Bullet: High bandwidth data dissemination using an overlay mesh. In Proc. of the 19th ACM Symp. on Operating Systems Principles, pages 282–297, 2003.
Vinay S. Pai, Kapil Kumar, Karthik Tamilmani, Vinay Sambamurthy, and Alexander E. Mohr. Chainsaw: Eliminating trees from overlay multicast. In Proc. of the 4th Int. Workshop on Peer-to-Peer Systems, volume 3640 of Lecture Notes in Computer Science, pages 127–140, 2005.
Brad Stone. A lively market, legal and not, for software bugs. The New York Times, online, January 30 2007. http://www.nytimes.com/2007/01/30/technology/30bugs.html.
Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage. Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In Proc. of the 20th ACM Symp. on Operating Systems Principles, pages 148–162, 2005.
Helen J. Wang, Chuanxiong Guo, Daniel R. Simon, and Alf Zugenmaier. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In Proc. of the 2004 Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communications, pages 193–204, 2004.
Beverly Yang and Hector Garcia-Molina. Designing a super-peer network. In Proc. of the 19th IEEE Int. Conf. on Data Engineering, pages 49–60, 2003.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Johansen, H., Johansen, D., van Renesse, R. (2007). FirePatch: Secure and Time-Critical Dissemination of Software Patches. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds) New Approaches for Security, Privacy and Trust in Complex Environments. SEC 2007. IFIP International Federation for Information Processing, vol 232. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-72367-9_32
Download citation
DOI: https://doi.org/10.1007/978-0-387-72367-9_32
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-72366-2
Online ISBN: 978-0-387-72367-9
eBook Packages: Computer ScienceComputer Science (R0)