FirePatch: Secure and Time-Critical Dissemination of Software Patches

  • Håvard Johansen
  • Dag Johansen
  • Robbert van Renesse
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 232)


Because software security patches contain information about vulnerabilities, they can be reverse engineered into exploits. Tools for doing this already exist. As a result, there is a race between hackers and end-users to obtain patches first. In this paper we present and evaluate FirePatch, an intrusion-tolerant dissemination mechanism that combines encryption, replication, and sandboxing such that end-users are able to win the security patch race.


  1. 1.
    William A. Arbaugh, William L. Fithen, and John McHugh. Windows of Vulnerability: A case study analysis. IEEE Computer, 33(12):52–59, 2000.Google Scholar
  2. 2.
    Hilary K. Browne, William A. Arbaugh, John McHugh, and William L. Fithen. A trend analysis of exploitations. In Proc. of the 2001 IEEE Symp. on Security and Privacy, pages 214–229, 2001.Google Scholar
  3. 3.
    Miguel Castro, Peter Druschel, Anne-Marie Kermarrec, Animesh Nandi, Antony Rowstron, and Atul Singh. SplitStream: High-bandwidth multicast in cooperative environments. In Proc. of the 19th ACM Symp. on Operating Systems Principles, pages 298–313, 2003.Google Scholar
  4. 4.
    Manuel Costa, Jon Crowcroft, Miguel Castro, Antony Rowstron, Lidong Zhou, Lintao Zhang, and Paul Barham. Vigilante: End-to-end containment of Internet worms. In Proc. of the 20th ACM Symp. on Operating Systems Principles, pages 133–147, 2005.Google Scholar
  5. 5.
    Halvar Flake. Structural comparison of executable objects. In Proc. of the 2004 Conf. on Detection of Intrusions and Malware & Vulnerability Assessment, Lecture Notes in Informatics, pages 161–173, 2004.Google Scholar
  6. 6.
    Christos Gkantsidis, Thomas Karagiannis, Pablo Rodriguez, and Milan Vojnovic. Planet scale software updates. ACM SIGCOMM Computer Communication Review, 36(4):423–434, 2006.CrossRefGoogle Scholar
  7. 7.
    Maya Haridasan and Robbert van Renesse. Defense against intrusion in a live streaming multicast system. In Proc. of the 6th IEEE Int. Conf. on Peer-to-Peer Computing, pages 185–192, 2006.Google Scholar
  8. 8.
    Håvard Johansen, André Allavena, and Robbert van Renesse. Fireflies: Scalable support for intrusion-tolerant network overlays. In Proc. of the 11th ACM Eurosys, pages 3–13, 2006.Google Scholar
  9. 9.
    Ashlesha Joshi, Samuel T. King, George W. Dunlap, and Peter M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. In Proc. of the 20th ACM Symp. on Operating Systems Principles, pages 91–104, 2005.Google Scholar
  10. 10.
    Dejan Kostic, Adolfo Rodriguez, Jeannie Albrecht, and Amin Vahdat. Bullet: High bandwidth data dissemination using an overlay mesh. In Proc. of the 19th ACM Symp. on Operating Systems Principles, pages 282–297, 2003.Google Scholar
  11. 11.
    Vinay S. Pai, Kapil Kumar, Karthik Tamilmani, Vinay Sambamurthy, and Alexander E. Mohr. Chainsaw: Eliminating trees from overlay multicast. In Proc. of the 4th Int. Workshop on Peer-to-Peer Systems, volume 3640 of Lecture Notes in Computer Science, pages 127–140, 2005.Google Scholar
  12. 12.
    Brad Stone. A lively market, legal and not, for software bugs. The New York Times, online, January 30 2007.
  13. 13.
    Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage. Scalability, fidelity, and containment in the Potemkin virtual honeyfarm. In Proc. of the 20th ACM Symp. on Operating Systems Principles, pages 148–162, 2005.Google Scholar
  14. 14.
    Helen J. Wang, Chuanxiong Guo, Daniel R. Simon, and Alf Zugenmaier. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In Proc. of the 2004 Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communications, pages 193–204, 2004.Google Scholar
  15. 15.
    Beverly Yang and Hector Garcia-Molina. Designing a super-peer network. In Proc. of the 19th IEEE Int. Conf. on Data Engineering, pages 49–60, 2003.Google Scholar

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Håvard Johansen
    • 1
  • Dag Johansen
    • 1
  • Robbert van Renesse
    • 2
  1. 1.University of TromsøNorway
  2. 2.Cornell UniversityUSA

Personalised recommendations