Band-aid Patching

Sidiroglou, Stelios; Ioannidis, Sotiris; Keromytis, Angelos D.

Testing vendor-issued patches remains one of the major hurdles to their speedy deployment. Studies have shown that administrators remain reluctant to quickly patch their systems, even when they have the capability to do so, partly because security patches in particular are often incomplete or altogether non-functional. We propose Band-aid Patching, a new approach for concurrently testing application patches. Using binary runtime injection techniques, we patch binaries such that when program execution reaches a program segment that has been affected by an issued patch, two (or more) program execution threads are created. These threads speculatively execute both parts of the code (patched and unpatched). Our system then retroactively selects one of the execution threads based on a variety of criteria, including obvious faultiness, prior history, and user input. We believe this approach to offer significant advantages to accelerating deployment of hot fixes while providing some assurance to system administrators. In this paper, we describe our initial thoughts on the system architecture, and provide some preliminary indications on the feasibility and performance impact of our scheme.



Also Published In

Third Workshop on Hot Topics in System Dependability (HotDep'07): 26 June 2007, Edinburgh, UK

More About This Work

Academic Units
Computer Science
Published Here
July 11, 2012