Security impact ratings considered harmful

Authors:
Jeff Arnold;Tim Abbott;Waseem Daher;Gregory Price;Nelson Elhage;Geoffrey Thomas;Anders Kaseorg
Affiliations:
Massachusetts Institute of Technology;Massachusetts Institute of Technology;Massachusetts Institute of Technology;Massachusetts Institute of Technology;Massachusetts Institute of Technology;Massachusetts Institute of Technology;Massachusetts Institute of Technology
Venue:
HotOS'09 Proceedings of the 12th conference on Hot topics in operating systems
Year:
2009

Citing 9
Cited 3

Is Finding Security Holes a Good Idea?

IEEE Security and Privacy
Practical dynamic software updating for C

Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation
Live updating operating systems using virtualization

Proceedings of the 2nd international conference on Virtual execution environments
Large-scale vulnerability analysis

Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
OPUS: online patches and updates for security

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Dynamic and adaptive updates of non-quiescent subsystems in commodity operating system kernels

Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007
Reboots are for hardware: challenges and solutions to updating an operating system on the fly

ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications

SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Ksplice: automatic rebootless kernel updates

Proceedings of the 4th ACM European conference on Computer systems

Intrusion recovery using selective re-execution

OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Software fault isolation with API integrity and multi-principal modules

SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
Linux kernel vulnerabilities: state-of-the-art defenses and open problems

Proceedings of the Second Asia-Pacific Workshop on Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper, we question the common practice of assigning security impact ratings to OS updates. Specifically, we present evidence that ranking updates by their perceived security importance, in order to defer applying some updates, exposes systems to significant risk. We argue that OS vendors and security groups should not focus on security updates to the detriment of other updates, but should instead seek update technologies that make it feasible to distribute updates for all disclosed OS bugs in a timely manner.