Guaranteeing Dependency Enforcement in Software Updates

  • Luigi Catuogno
  • Clemente Galdi
  • Giuseppe Persiano
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9417)


In this paper we consider the problem of enforcing dependencies during software distribution process. We consider a model in which multiple independent vendors encrypt their software and distribute it by means of untrusted mirror repositories. The decryption of each package is executed on the user side and it is possible if and only if the target device satisfies the dependency requirements posed by the vendor. Once a package is decrypted, the protocol non-interactively updates the key material on the target device so that the decryption of future packages requiring the newly installed package can be executed.

We further present a variant of the protocol in which also the vendor defined installation policy can be partially hidden from unauthorized users.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ambrosin, M., Busold, C., Conti, M., Sadeghi, A.-R., Schunter, M.: Updaticator: updating billions of devices by an efficient, scalable and secure software update distribution over untrusted cache-enabled networks. In: ESORICS (2014), pp. 76–93 (2014)Google Scholar
  2. 2.
    Bellissimo, A., Burgess, J., Fu, K.: Secure software updates: disappointments and new challenges. In: HotSec (2006)Google Scholar
  3. 3.
    Cappos, J.: Avoiding theoretical optimality to efficiently and privately retrieve security updates. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 386–394. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  4. 4.
    Cappos, J., Samuel, J., Baker, S., Hartman, J.H.: A look in the mirror: attacks on package managers. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 565–574. ACM (2008)Google Scholar
  5. 5.
    Catuogno, L., Gassirà, R., Masullo, M., Visconti, I.: Smartk: Smart cards in operating systems at kernel level. Information Security Technical Report 17(3), 93–104 (2013). Security and Privacy for Digital EcosystemsCrossRefGoogle Scholar
  6. 6.
    Di Crescenzo, G., Galdi, C.: Hypergraph decomposition and secret sharing. Discrete Applied Mathematics 157(5), 928–946 (2009)MATHMathSciNetCrossRefGoogle Scholar
  7. 7.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)MATHMathSciNetCrossRefGoogle Scholar
  8. 8.
    Dolstra, E., De Jonge, M., Visser, E.: Nix: a safe and policy-free system for software deployment. In: LISA, vol. 4, pp. 79–92 (2004)Google Scholar
  9. 9.
    Dumitraş, T., Kavulya, S., Narasimhan, P.: A fault model for upgrades in distributed systems (cmu-pdl-08-115). CMU-PDL-08-115 (2008)Google Scholar
  10. 10.
    GlobalPlatform. TEE system architecture v1.0.
  11. 11.
    Hart, J., D’Amelia, J.: An analysis of RPM validation drift. In: LISA, vol. 2, pp. 155–166 (2002)Google Scholar
  12. 12.
    Ito, M., Saito, A., Nishizeki, T.: Secret sharing scheme realizing general access structure. Electronics and Communications in Japan (Part III: Fundamental Electronic Science 72(9), 56–64 (1989)MathSciNetCrossRefGoogle Scholar
  13. 13.
    Neuhaus, S., Zimmermann, T.: The beauty and the beast: vulnerabilities in red Hat’s packages. In: USENIX Annual Technical Conference (2009)Google Scholar
  14. 14.
    Rubin, A.D.: Trusted distribution of software over the internet. In: 1995 Symposium on Network and Distributed System Security, (S)NDSS 1995, San Diego, California, February 16–17, 1995, pp. 47–53 (1995)Google Scholar
  15. 15.
    Samuel, J., Cappos, J.: Package managers still vulnerable: How to protect your systems. login: Usenix Magazine 34(1), 7–15 (2009)Google Scholar
  16. 16.
    Samuel, J., Mathewson, N., Cappos, J., Dingledine, R.: Survivable key compromise in software update systems. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 61–72. ACM (2010)Google Scholar
  17. 17.
    Shamir, A.: How to share a secret. Communications of the ACM 22(11), 612–613 (1979)MATHMathSciNetCrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Luigi Catuogno
    • 1
  • Clemente Galdi
    • 2
  • Giuseppe Persiano
    • 3
  1. 1.Dip. di InformaticaUniversitá di Salerno, Fisciano (SA)Italy
  2. 2.Dip. di Ing. Elet. e Tecnologie dell’InformazioneUniversità di Napoli Federico IINapoliItaly
  3. 3.Dip. di Scienze Aziendali - Management & Innovation SystemUniversità di SalernoFiscianoItaly

Personalised recommendations