Page 1 Cite

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.

×

Workshop Introduction

The Forum on Cyber Resilience of the National Academies of Sciences, Engineering, and Medicine hosted a Workshop on Software Update at its Winter 2017 meeting on February 6, 2017, in Washington, D.C.

The workshop featured experts representing various industries, research laboratories, and government agencies. Speakers discussed experiences and challenges related to a range of issues surrounding software updates, reflecting on the historical evolution, exploring today’s tools and gaps, and considering future concerns and opportunities, especially as related to software update as a tool for improved cybersecurity and resilience. Participants identified key questions, suggested ideas, and closely examined uncertainties involved in improving software updates today and tomorrow.

The meeting was open to the public. This proceedings was created from the presenters’ slides and a full transcript of the workshop; it is intended to serve as a public record of the workshop presentations and discussions.

OPENING REMARKS

Fred B. Schneider, Ph.D., the Samuel B. Eckert Professor of Computer Science at Cornell University, member of the National Academy of Engineering, and Forum chair, opened

Page 2 Cite

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.

×

the meeting with a brief overview of the National Academies’ Forum on Cyber Resilience. He then introduced the workshop’s topic with a metaphor: recycling. Soda used to come only in large glass bottles, but eventually cheaper, more convenient metal cans and plastic bottles were introduced. The new packagings had an unfortunate side effect: increased litter. Rebate and recycling programs, as well as laws criminalizing litter, evolved to address this problem, although, Schneider noted, “It took a while to put all the right mechanisms in place.”

Like the landscape of soda bottles littering our streets before recycling, we now live in a world that is fast accumulating the remnants of “disposable” software, Schneider said. People constantly replace their devices, and software vulnerabilities are constantly discovered and fixed. But a great deal of vulnerable software remains in use. This software is desperately in need of updates that, for a variety of reasons, it’s not getting. This software and these vulnerable systems are a new form of litter.

Software update methods allow us to “cope with the reality that there are going to be vulnerabilities,” Schneider said, by either patching or replacing vulnerable software. As software continues to proliferate and our lives become ever more dependent on it, the consequences of vulnerabilities grow. Deploying updates securely is also an increasingly complex technical challenge. No longer are updates just one aspect of a developer’s responsibilities, but they have become a central aspect of the industry.

Although not updating software is clearly problematic for security, deploying software updates also comes with risks. If an update goes wrong, the device could break or provide an opening for attackers. Any sort of centralized or automated distribution of updates becomes an attractive target for attackers. Even sending physical disks with updates through the mail, a system previously used for updating flight-control software on commercial airplanes, is not necessarily secure. Updates also, as a side effect, advertise that previous versions of the software are vulnerable to attack, even pointing attackers to specific vulnerabilities that can be exploited in non-updated devices.

Recertification of software raises other issues. After performing an update, a Naval warship might require 6 months in port to recertify all of its systems, Schneider noted. The lengthy recertification process also required for airplanes and medical devices means that automated updates (such as the regularly scheduled updates from Microsoft, known as “Patch Tuesday”) would be untenable in those situations.

Economics is also a concern, underscored by the proliferation of ever-cheaper mobile devices and the applications people buy for them. At these low price points, or “hit-and-run sales,” manufacturers may assume they are not entering into a long-term relationship with consumers. Such manufacturers might not feel obligated to provide

Page 3 Cite

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.

×

software updates to provide the level of security that manufacturers of other types of products might provide. Users’ rights are also a factor: Deploying software updates can give manufacturers broad access to a user’s device, which raises potential privacy issues and creates antitrust minefields, Schneider said.

In short, cleaning up the “discarded soda bottles” of our Information Technology Ecosystem not only involves complex technical challenges, but economic, political, and social consequences, as well. The Forum provided a venue to dive into these issues, tease out nuances, and expose hidden assumptions surrounding the software updates.

Page 4 Cite

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.

×

Background and Context

The following information was provided to workshop speakers and attendees to offer context on software update issues and to provide a structure for the workshop and its intended purposes.

In October 2016, botnet malware known as Mirai was used to launch a disruptive denial of service attack on a Domain Name System (DNS) service provider. That disruption resulted in hundreds of popular websites and services being inaccessible for several hours. Mirai exploited the fact that numerous Internet of Things (IoT) devices, such as cameras and digital video recorders, still had vendor default usernames and passwords (and in some cases had unchangeable firmware passwords accessible via telnet and Secure Shell [SSH]).¹ This attack spotlighted several security challenges related to the mass proliferation of IoT devices; perhaps the most significant is that the software on many IoT devices is difficult or impossible to update.

Software updates have long been a mechanism through which security improvements in systems and devices are made. It is timely, then, to consider the value and prospects for software update as a security mechanism in the future. In what sorts of systems are software updates difficult? What makes it difficult? What incentives can be put in place to ensure that needed updates can be done?

Software-based systems undergird every type of critical infrastructure. Software enables business, manufacturing, transportation, and health care. Software is embedded in homes and offices, in safety-critical contexts, in entertainment contexts, and, increasingly, in wearable devices on human bodies. As bugs and vulnerabilities are discovered, as circumstances and requirements change, and as new features are developed, software updates are made available.

Software updates encompass a range of activities. Consumers are familiar with updating operating systems and individual applications. Enterprise information technology departments typically develop processes for how software updates will be implemented for their users. Providers of cloud services and Web-based applications update their products and systems regularly.

The question of how, when, and why to update software is not new. Before personal computers could be easily networked, updates had to be applied using physical media (“sneakerware”). Today, updates to some mobile phones, IoT devices, and even cars can arrive automatically over wireless connections directly from the software manufacturer. Many enterprises push automatic updates to users’ machines and devices. Consumers are sometimes given the option of having their personal devices update themselves automatically, whenever new software is available. In some cases, manufacturers will design systems so that updates are done automatically without allowing the consumer the choice.

Software updates are used to improve security and other important attributes as well as to provide upgrades or changes to software features. As security has become a priority over the last two decades, software update has become a key mechanism by which improvements in security in systems that are already deployed can be made. The development of mass automatic updates allows for fast application of patches when security problems in a given system or deployment need to be addressed.

Page 5 Cite

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.

×

Software updates as a security mechanism comes with other challenges and risks. As most users of information systems know, an update that goes wrong can have downsides ranging from minor incompatibilities with existing applications to loss of time spent reconfiguring systems or even destruction of data. Moreover, not all systems can be readily updated. Some IoT devices offer no obvious update capability—they may lack regular Internet connectivity, or the device may not have the computing resources to validate and install updates, or updates may no longer be available from the company that sold them. Some systems, such as medical devices, might require significant verification and validation after updating; and some, such as those on some Naval ships, cannot be updated while the ship is actively deployed. In such a case, what other options are available? When software update is possible, how should the update itself be verified and authenticated? When and how do we believe the update channel is secure enough that the benefits outweigh the risks? How should devices reject obsolete revisions? What security procedures should be employed when updates are issued?

Another challenge is that software updates for security reasons tend to happen under time pressure. At the same time, it may be important not to release an update until there’s a way to be sure to get it to everyone who needs it. This is because anyone who sees the update could potentially reverse engineer it to find and exploit the vulnerability that is being corrected. Ensuring that everyone who needs the update gets it can be a particular challenge in scenarios where the software developer does not or cannot themselves ensure that the update is sent to those who need it. Consider the following scenarios:

A software supplier releases the update to the device vendor; the device vendor has to “qualify” it before releasing it to customers. If device vendors are not diligent about getting the update out, some customers are left vulnerable, and reverse engineering by adversaries is possible based on customers (or device vendors) who do get the update.
Suppose a widely used open-source component is found to need a security update. If many organizations use the component, how can an update process be managed so that the update is developed and qualified for all of the organizations that rely on it without the knowledge of the vulnerability leaking and being exploited before the update is distributed?
Similar to the above: A developer ships software that depends on certain components, and those components require a software update for security reasons. How can the developer find everyone who needs to install this update?
Or, consider the challenge of updating products when the original developer is no longer available, or the product is out of support.

This workshop will bring together software experts, security experts, practitioners, and researchers to explore how software updates are accomplished and implications for security and resilience of systems that depend on software. Questions to explore include

General: How have “software updates” changed over time and what are prospects for the future? How do different technical sectors manage software updates? For what sorts of systems are software updates likely to be an appropriate method of deploying improvements in resilience and security? What are the advantages and disadvantages

Page 6 Cite

Suggested Citation:"Workshop Introduction." National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Washington, DC: The National Academies Press. doi: 10.17226/24833.

×

of distinguishing and separating feature updates from security updates in software updates? What policy options are there to improve the practice and outcomes of software updates (e.g., what are the pros and cons of enforcing automatic updates)?

Security Risks: Do current practices related to software encourage vendors to ship buggy implementations on the assumption that bugs will be fixed later? If insecure-but-updatable products are the only ones available in the market, will they be used in high-value environments that will then fall to 0-day attacks?

End-of-Life: Should vendors be required to provide security updates? If so, for how long? When the support period ends, should source code and signing tools be made open-source to allow third-party updates? Who is liable when products fail (perhaps in unsafe ways) after their support period ends? What are the economic and environmental impacts when products are discarded because essential updates are no longer available?

User Rights: What rights and obligations should users have? For example, are disclosure of limitations and/or acceptance by end users required (or even practical given the difficulty of understanding legalese, lack of alternatives, and number of devices that users own)? Should users be allowed to reject safety-critical updates (e.g., that may facilitate denial of service attacks against others on the network)? Should patches to address security or safety vulnerabilities be treated differently from updates that modify functionality?

Privacy, Conflicting Interests: Should vendors be permitted to leverage security update mechanisms as a way to achieve other business objectives, such as obtaining data from users (e.g., to train vendor artificial intelligence systems), obtaining users’ consent to vendor-chosen contractual obligations, modifying device capabilities in ways that may be undesirable to the user, or pressing users to install software products unrelated to the one being updated? What challenges arise when multiple parties (e.g., telecommunications carriers and mobile operating system developers) are involved in software updates and what options are there for dealing with them?

Costs and Accounting: What are the long-term costs of maintaining software updates for products, and how should these costs be funded? When companies sell a product, do they need to take a charge for the future costs of producing updates for the product?

__________________

¹Krebs on Security, 2016, “Hacked Cameras, DVRs Powered Today’s Massive Internet Outage,” October 21, blog, https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage.

Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop (2017)

Chapter: Workshop Introduction

Workshop Introduction

OPENING REMARKS

Welcome to OpenBook!

Get Email Updates