Software patches, which are sent over the Internet to protect computers from newly discovered security holes, could help the bad guys as well as the good guys, according to research recently presented at the IEEE Symposium on Security and Privacy. The research shows that attackers could use patches to automatically generate software to attack vulnerable computers, employing a process that can take as little as 30 seconds. Since it takes time for patches to reach all the machines that need them, attackers could have a chance to affect large numbers of machines, says David Brumley, an incoming assistant professor at Carnegie Mellon University in the electrical- and computer-engineering department and the lead author of the paper.

As part of their research, Brumley and his colleagues produced malicious code, commonly called an exploit, that could infiltrate computers and launch denial of service attacks. These attacks flood a website so that legitimate users can’t access it. The researchers were also able to gain control of people’s computers remotely. The findings have serious implications for global Internet security and stability. Using this approach, an attacker could quickly and easily gather private information about people and businesses. Moreover, large numbers of infected computers could significantly slow Internet traffic.

Normally, when a security researcher finds a bug in a program, he or she notifies the organization or company responsible for the software. The company creates a patch to correct the problem. Because those patches are often fairly large files, organizations tend to distribute them in stages so as not to overwhelm the central servers providing the patches. Christos Gkantsidis, an associate researcher in the systems and networking group at Microsoft Research, in Cambridge, says that it takes about 24 hours to distribute a patch through Windows Update to 80 percent of the systems that need it. “The problem is that the infrastructure capacity that exists is not enough to serve all the users immediately,” Gkantsidis says. “We currently don’t have technologies that can distribute patches as fast as the worms.” (A worm is one type of computer exploit.) In other words, attackers already have a window of opportunity to infect computers between the time a patch is released and the time it reaches all the systems that need it. Brumley’s research shows that an attacker could infect computers more efficiently during that window by generating exploits automatically.

Brumley says that his system works for patches intended to fix one common type of vulnerability, and has its roots in the methods used to automatically test programs to make sure they perform as intended. The technique analyzes a new patch to discover what changes it is making to the previous version of the software. Once the changes are isolated, the system analyzes them to create a formula that has as its solution values that can be used for an exploit.

Many of the vulnerabilities that the researchers used to test the system had been rated as serious or critical by Microsoft, Brumley says. While in two cases, Microsoft had already issued warnings for the exploits that the researchers generated, in several other cases, they created exploits that were previously unknown.

“If you just look at it naively, you are distributing a patch for the betterment of the system, closing security holes,” says Dawn Song, an assistant professor at the University of California, Berkeley, who was also involved in the research. “But the point of the work is that, even in such situations, you also need to carefully consider the security ramifications.”

As a result, the researchers call for new methods for distributing patches that could make them more secure. Brumley suggests taking steps to hide the changes that a patch is making to the software, releasing encrypted patches that can’t be decrypted and activated until a large portion of users have downloaded them, or exploring peer-to-peer distribution methods that could allow patches to go out in a single wave rather than in stages. “I’d like to see researchers get together with vendors to find out what their requirements are to make new solutions work,” he says.

Gkantsidis agrees that changes should be made to patch distribution, but he says that further research is needed to ensure that those changes don’t introduce new problems. For example, he says, while peer-to-peer distribution has the potential to help distribute a patch quickly, it could also make it easier for attackers to figure out which systems remained vulnerable. He suggests combining the new approaches, such as by both encrypting patches and using peer-to-peer distribution.

However, Bruce Schneier, chief security technology officer at BT Counterpane, says that, while it’s interesting that the researchers have demonstrated this capability, he doesn’t see that it changes anything. People know that you can reverse-engineer an exploit from a patch, he says, and this research simply shows how easy the process can be. “I think you just have to live with the fact that when you release the patch, the exploit is known,” he says. “That’s just the way the world works.” People can try to make reverse engineering harder, he says, but they can’t stop it altogether.

Song hopes that the automated techniques she’s developed to generate attacks can also help defenders. By improving the tools for automatically analyzing software code, Song hopes that it will eventually become possible to make programs more secure.