Is Finding Security Holes a Good Idea?
IEEE Security and Privacy
Practical dynamic software updating for C
Proceedings of the 2006 ACM SIGPLAN conference on Programming language design and implementation
Live updating operating systems using virtualization
Proceedings of the 2nd international conference on Virtual execution environments
Large-scale vulnerability analysis
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
OPUS: online patches and updates for security
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Dynamic and adaptive updates of non-quiescent subsystems in commodity operating system kernels
Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007
Reboots are for hardware: challenges and solutions to updating an operating system on the fly
ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Ksplice: automatic rebootless kernel updates
Proceedings of the 4th ACM European conference on Computer systems
Intrusion recovery using selective re-execution
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Software fault isolation with API integrity and multi-principal modules
SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
Linux kernel vulnerabilities: state-of-the-art defenses and open problems
Proceedings of the Second Asia-Pacific Workshop on Systems
Hi-index | 0.00 |
In this paper, we question the common practice of assigning security impact ratings to OS updates. Specifically, we present evidence that ranking updates by their perceived security importance, in order to defer applying some updates, exposes systems to significant risk. We argue that OS vendors and security groups should not focus on security updates to the detriment of other updates, but should instead seek update technologies that make it feasible to distribute updates for all disclosed OS bugs in a timely manner.