Technology Review
Researchers call for changes in how software patches are distributed.
Software patches, which are sent over the Internet to protect computers from newly discovered security holes, could help the bad guys as well as the good guys, according to research recently presented at the IEEE Symposium on Security and Privacy. The research shows that attackers could use patches to automatically generate software to attack vulnerable computers, employing a process that can take as little as 30 seconds. Since it takes time for patches to reach all the machines that need them, attackers could have a chance to affect large numbers of machines, says David Brumley, an incoming assistant professor at Carnegie Mellon University in the electrical- and computer-engineering department and the lead author of the paper.
As part of their research, Brumley and his colleagues produced malicious code, commonly called an exploit, that could infiltrate computers and launch denial of service attacks. These attacks flood a website so that legitimate users can't access it. The researchers were also able to gain control of people's computers remotely. The findings have serious implications for global Internet security and stability. Using this approach, an attacker could quickly and easily gather private information about people and businesses. Moreover, large numbers of infected computers could significantly slow Internet traffic.
Normally, when a security researcher finds a bug in a program, he or she notifies the organization or company responsible for the software. The company creates a patch to correct the problem. Because those patches are often fairly large files, organizations tend to distribute them in stages so as not to overwhelm the central servers providing the patches. Christos Gkantsidis, an associate researcher in the systems and networking group at Microsoft Research, in Cambridge, says that it takes about 24 hours to distribute a patch through Windows Update to 80 percent of the systems that need it. "The problem is that the infrastructure capacity that exists is not enough to serve all the users immediately," Gkantsidis says. "We currently don't have technologies that can distribute patches as fast as the worms." (A worm is one type of computer exploit.) In other words, attackers already have a window of opportunity to infect computers between the time a patch is released and the time it reaches all the systems that need it. Brumley's research shows that an attacker could infect computers more efficiently during that window by generating exploits automatically.
Brumley says that his system works for patches intended to fix one common type of vulnerability, and has its roots in the methods used to automatically test programs to make sure they perform as intended. The technique analyzes a new patch to discover what changes it is making to the previous version of the software. Once the changes are isolated, the system analyzes them to create a formula that has as its solution values that can be used for an exploit.
Tools that find serious bugs automatically could lead to safer, more stable software.
A new tool assumes that a PC is loaded with malware--and protects transactions anyway.
It seems that this technique only works for a subset of security holes. For example, a hole in Firefox might be easily exploited using this technique (via a website), but a hole in Acrobat (something that must be exploited locally) might not be so effectively exploited. So if my assertion is correct, then we really only need better patch distribution techniques for a certain subset of patches -- namely those that can be easily exploited remotely.
But then again, if you already have a new patch distribution technique, why not distribute all patches that way, right? Eh, whatever.
As many households have more than one computer on their network these days (not to mention businesses, colleges, government entities, etc) why not develop a means to automatically share OS patches amongst computers on the same net? If one of my computers is set to download a patch from MS, why must the others also reach out and touch the server for the same patch? Why not just talk to its neighbor and download it from there? Better yet, the computer that just got the patch could send out a "Do you have this yet" probe and if a computer replies with a negative, it will automatically get sent the patch. Would probably lesson the stress put on the distribution servers and also clear up some congestion on the net during heavy patch releases (SP3 for instance).
Alternately, you could close the gap between patch availability and installation by signaling critical subsystems to disable affected functionality until the patch is applied. Of course, you would have to decide which is worse, the medicine or the disease. But for critical flaws in ancillary services, it might well be worth it. This sort of disable-until-patched feature could even be a check-box option when you install the package, so the end-user can make the call.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
This document is part of the “How-To Guide for Most Common Measurements” centralized resource portal. This tutorial provides a detailed guide for measurement and device considerations to take temperature measurements using thermocouples. Get an introduction to thermocouples, which are inexpensive sensing devices widely used with PC-based data acquisition systems. Also review some specific thermocouple examples and learn how thermocouples work and ways to integrate them into a data acquisition measurement system.
View full PDF >
Listen to story > 
Our list of the 50 most innovative companies, including the following:
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
zig158
64 Comments
"Song hopes that it will eventually become possible to make programs more secure."
It is already possible, it's called open source.
Reply
Erica Naone
70 Comments
Re:
I think the key here is the start of the sentence: "By improving the tools for automatically analyzing software code." Song has an interesting project called BitBlaze (http://bitblaze.cs.berkeley.edu/), which is a binary analysis platform that forms the basis for this and other research.
Reply