Opus: Online patches and updates for security

14th USENIX Security Symposium

Volumn , Issue , 2005, Pages 287-302

  Altekar, Gautam ^a   Bagrak, Ilya ^a   Burstein, Paul ^a   Schultz, Andrew ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

C PROGRAMS; DYNAMIC SOFTWARES; INTERACTIVE APPLICATIONS; PRIOR KNOWLEDGE; RUNTIME OVERHEADS; RUNTIMES; SECURITY PATCHES; STOP-AND-RESTART;

C (PROGRAMMING LANGUAGE);

EID: 33745936329     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (32)

1. US-CERT Vulnerability Notes Database. http://www.kb.cert.org/vuls/.
2. Apache security bulletin. http://httpd.apache.org/info/security_bulletin_20020617.txt, June 2002.
3. ARBAUGH, W. A., FITHEN, W. L., AND MCHUGH, J. Windows of vulnerability: A case study analysis. In IEEE Computer (2000).
4. ARCE, I., AND LEVY, E. An analysis of the slapper worm. IEEE Security and Privacy 1, 1 (2003), 82–87.
5. BEATTIE, S., ARNOLD, S., COWAN, C., WAGLE, P., WRIGHT, C., AND SHOSTACK, A. Timing the application of security patches for optimal uptime. In LISA (2002), USENIX, pp. 233–242.
6. BREWER, E. Lessons from giant-scale services. In IEEE Internet Computing (Aug. 2001).
7. CANDEA, G., KAWAMOTO, S., FUJIKI, Y., FRIEDMAN, G., AND FOX, A. Microreboot - a technique for cheap recovery. In Proceedings of the 6th Operating System Design and Implementation (Dec. 2004), pp. 31–44.
8. CERT. CERT Advisory CA-2002-17 Apache Web Server Chunk Handling Vulnerability. http://www.cert.org/advisories/CA-2002-17.html, June 2002.
9. DTORS.NET. Apache chunked encoding example exploit. http://packetstormsecurity.org/0207- exploits/ apache- chunk.c.
10. DUGGAN, D. Type-based hot swapping of running modules (extended abstract). In ICFP’01: Proceedings of the sixth ACM SIGPLAN international conference on Functional programming (2001), ACM Press, pp. 62–73.
11. DUNAGAN, J., ROUSSEV, R., DANIELS, B., JOHNSON, A., VERBOWSKI, C., AND WANG, Y.-M. Towards a self-managing software patching process using persistent-state manifests. In International Conference on Autonomic Computing (ICAC) 2004 (2004).
12. FREE SOFTWARE FOUNDATION, INC. UsingtheGNUCompiler Collection. Boston, MA, USA, 2004.
13. GOBBLES SECURITY. Apache “scalp” exploit. http://www.hackindex.org/boletin/0602/apache-scalp.c.
14. GUPTA, D., AND JALOTE, P. On-line software version change using state transfer between processes. Softw., Pract. Exper. 23, 9 (1993), 949–964.
15. GUPTA, D., JALOTE, P., AND BARUA, G. A formal framework for on-line software version change. IEEE Trans. Softw. Eng. 22, 2 (1996), 120–131.
16. HICKS, M., MOORE, J. T., AND NETTLES, S. Dynamic software updating. In PLDI’01: Proceedings of the ACM SIGPLAN 2001 conference on Programming language design and implementation (2001), ACM Press, pp. 13–23.
17. HORWITZ, S. Identifying the semantic and textual differences between two version of a program. In Proceedings of the ACM SIGPLAN 90 Conference on Programming Language Design and Implementation (June 1990), pp. 234–245.
18. INTERNATIONAL ORGANIZATION FOR STANDARDIZATION. ISO/IEC9899:1990: Programminglanguages—C. International Organization for Standardization, Geneva, Switzerland, 1990.
19. K-OTIK SECURITY. Remote MySQL Priviledges Exploit. http://www.k-otik.com/exploits/09.14.mysql.c.php.
20. MITUZAS, D. Freebsd scalper worm. http://dammit.lt/apache-worm/.
21. NECULA, G. C., MCPEAK, S., RAHUL, S. P., AND WEIMER, W. Cil: Intermediate language and tools for analysis and transformations of c programs. In Proceedings of the 11th International Conference on Compiler Construction (2002), pp. 213–228.
22. PESCOBITZ, D. Monsters in a box. Wired 8, 12 (2000), 341–347.
23. RESCORLA, E. Security holes . . . who cares? In 12th Usenix Security Symposium (Washington, D.C., August 2003), pp. 75–90.
24. SECURITEAM.COM. Local and Remote Exploit for MySQL (password scrambling). http://www.securiteam.com/exploits/5OP0G2A8UG.html.
25. SHANKAR, U., TALWAR, K., FOSTER, J. S., AND WAGNER, D. Detecting Format String Vulnerabilities with Type Qualifiers. In Proceedings of the 10th Usenix Security Symposium (Washington, D.C., Aug. 2001).
26. STOYLE, G., HICKS, M., BIERMAN, G., SEWELL, P., AND NEAMTIU, L. Mutatis mutandis: Safe and predictable dynamic software updating. In Proceedings of the 32nd ACM SIGPLANSIGACT Symposium on Principles of Programming Languages (2005), pp. 183–194.
27. THE SOFTWARE DEVELOPMENT LIFE CYCLE TASK FORCE, S. A. Improving security across the software development lifecycle. Tech. rep., National Cyber Security Partnership, April 2004.
28. US-CERT. Vulnerability Note VU#16532 BIND T NXT record processing may cause buffer overflow. http://www.kb.cert.org/vuls/id/16532, November 1999.
29. US-CERT. Vulnerability Note VU#715973 ISC BIND 8.2.2-P6 vulnerable to DoS via compressed zone transfer, aka the zxfr bug. http://www.kb.cert.org/vuls/id/715973, November 2000.
30. US-CERT. Vulnerability Note VU#184030 MySQL fails to properly evaluate zero-length strings in the check scramble 323() function. http://www.kb.cert.org/vuls/id/184030, July 2004.
31. US-CERT. Vulnerability Note VU#516492 MySQL fails to validate length of password field. http://www.kb.cert.org/vuls/id/516492, September 2004.
32. WANG, H. J., GUO, C., SIMON, D. R., AND ZUGENMAIER, A. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In Proceedings of SIGCOMM’04 (Aug. 2004).