secure software updates
play

Secure Software Updates Disappointments and New Challenges Anthony - PowerPoint PPT Presentation

Secure Software Updates Disappointments and New Challenges Anthony Bellissimo Kevin Fu John Burgess kevinfu@cs.umass.edu Department of Computer Science University of Massachusetts at Amherst, USA http://prisms.cs.umass.edu/ USENIX Hot


  1. Secure Software Updates Disappointments and New Challenges Anthony Bellissimo Kevin Fu John Burgess kevinfu@cs.umass.edu Department of Computer Science University of Massachusetts at Amherst, USA http://prisms.cs.umass.edu/ USENIX Hot Topics in Security Workshop Computer Science

  2. Observations and Beliefs • Software updates are susceptible to MITM ‣ Easy to address in centralized scenarios ‣ Difficult to deploy in standalone apps • Updating embedded devices trickier ‣ Unconventional constraints and threats ‣ New risks Secure Software Updates Computer Science

  3. Un signed updates rampant

  4. Millions update every day

  5. Additional info on http://www.cs.umass.edu/~kevinfu/secureupdates/

  6. http://business.bostonherald.com/technologyNews/view.bg?articleid=148707 http://www.cert.org/kb/vul_disclosure.html

  7. Survey of Update Security Secure Software Updates Computer Science

  8. http://www.soultek.com/clean_energy/hybrid_cars/toyota_prius_hybrid_car_shut_down_or_stall_problems.htm Automotive Updates

  9. Updates in Voting Machines http://www.nytimes.com/2006/05/12/us/12vote.html?ex=1305086400&en=1b3554af6e2d524a&ei=5088&partner=rssnyt&emc=rss

  10. Implanted medical devices use updates too How long until computer viruses can infect humans? “Help! My heart is infected and is launching a DDoS on my pancreas.”

  11. Software overdose http://www.fda.gov/cdrh/recalls/recall-082404b-pressrelease.html

  12. Embedded Medical Software fda.gov

  13. What Next? • Sign conventional updates ‣ Why didn’t the research transfer to reality? ‣ Little guys suffer the most ‣ Secure updates as an operating system service • Updating embedded devices ‣ No user interface, but ubiquitous ‣ Limited network, power, computation ‣ Threat model? Why would anyone attack this? Secure Software Updates Computer Science

Recommend


More recommend