CRII: SaTC: Empirical and Analytical Models for the Deployment of Software Updates in Large Vulnerable Populations
University Of Maryland, College Park, College Park MD
Investigators
Abstract
Software vulnerabilities are an important vector for malware delivery. The software updating mechanisms, responsible for deploying the vulnerability patches, are in a race with the cyber attackers seeking to exploit the vulnerabilities. Moreover, these updating mechanisms have multiple, potentially conflicting, design goals, as they must quickly deploy patches on millions of hosts worldwide, must not overburden the users, and must avoid breaking dependencies in the deployment environment. This project aims to model the dynamics of vulnerable host populations, in order to assess the practical barriers for current software updating mechanisms and the conflicts among their security and reliability goals. Using real-world data sets of update deployment events, the research studies the decay of vulnerable host populations empirically to identify deployment-specific factors that delay updates. Building on these insights, the project develops parameterized analytical models for update deployment, and uses these models to quantify the trade-offs between reliability and security when updating software. The models provide principled methods for reasoning about the properties of software updates in the presence of multiple design goals and enable improvements in software updating mechanisms by exploring a large design space. The researchers are disseminating the results from this project by organizing workshops on data-driven security, by releasing data sets with augmented information about software vulnerabilities, and by collaborating with industry partners to evaluate the proposed techniques in real-world settings.
View original record on NSF Award Search →