Mathias Payer, ETH Zurich and University of California, Berkeley; Boris Bluntschli and Thomas R. Gross, ETH Zurich
Abstract:
Security patches protect an application from discovered vulnerabilities and should be applied as fast as possible. On the other hand, patching the application reduces the availability of the service due to the necessary restart. System administrators need to balance system availability with a potential compromise of system integrity.
A dynamic software update mechanism applies security updates on the fly but does not protect from unknown vulnerabilities. Software-based fault isolation on the other hand uses a sandbox to protect the integrity of a system by detecting unpatched vulnerabilities but provides no mechanism to repair any vulnerabilities.
This paper presents DynSec, a mechanism for on-the fly code rewriting and repair that dynamically applies security patches for unmodified binary applications. A sandbox protects the integrity of the system while the dynamic update mechanism increases the availability of the application. A prototype implementation that needs no a-priori cooperation from the application incurs a combined overhead of 11% on the SPEC CPU2006 benchmarks for the sandbox and the dynamic update mechanism.
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
BibTeX
@inproceedings {179244,
author = {Mathias Payer and Boris Bluntschli and Thomas R. Gross},
title = {{DynSec}: {On-the-fly} Code Rewriting and Repair},
booktitle = {5th Workshop on Hot Topics in Software Upgrades (HotSWUp 13)},
year = {2013},
address = {San Jose, CA},
url = {https://www.usenix.org/conference/hotswup13/workshop-program/presentation/payer},
publisher = {USENIX Association},
month = jun
}
connect with us