FirePatch: Secure and Time-Critical Dissemination of Software Patches

Because software security patches contain information about vulnerabilities, they can be reverse engineered into exploits. Tools for doing this already exist. As a result, there is a race between hackers and end-users to obtain patches first. In this paper we present and evaluate FirePatch, an intrusion-tolerant dissemination mechanism that combines encryption, replication, and sandboxing such that end-users are able to win the security patch race.

[1]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[2]  Christos Gkantsidis,et al.  Planet scale software updates , 2006, SIGCOMM 2006.

[3]  William A. Arbaugh,et al.  A trend analysis of exploitations , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[4]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[5]  Vinay S. Pai,et al.  Chainsaw: Eliminating Trees from Overlay Multicast , 2005, IPTPS.

[6]  Amin Vahdat,et al.  Bullet: high bandwidth data dissemination using an overlay mesh , 2003, SOSP '03.

[7]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM 2004.

[8]  Miguel Castro,et al.  SplitStream: high-bandwidth multicast in cooperative environments , 2003, SOSP '03.

[9]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[10]  Halvar Flake,et al.  Structural Comparison of Executable Objects , 2004, DIMVA.

[11]  Hector Garcia-Molina,et al.  Designing a super-peer network , 2003, Proceedings 19th International Conference on Data Engineering (Cat. No.03CH37405).

[12]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[13]  Robbert van Renesse,et al.  Defense against Intrusion in a Live Streaming Multicast System , 2006, Sixth IEEE International Conference on Peer-to-Peer Computing (P2P'06).

[14]  Robbert van Renesse,et al.  Fireflies: scalable support for intrusion-tolerant network overlays , 2006, EuroSys.