An anonymous reader writes "Researchers at Carnegie Mellon University have shown that given a buggy program and a patch, it is possible to automatically create an exploit. They demonstrate this by showing automatic patch-based exploit generation for several Windows vulnerabilities and patches can be achieved within a few minutes of when a patch is first released. From the article: "One important security implication is that current patch distribution schemes which stagger patch
distribution over long time periods, such as Windows Update,... can detract from overall security, and should be redesigned." The full paper is available as PDF, and will appear at the IEEE Security and Privacy Symposium in May." Link to Original Source
This discussion was created for logged-in users only, but now has been archived.
No new comments can be posted.
AFAICT, this article is showing how to create exploits from patches. This is a hard problem to fix, though. After all, a patch is revealing some information about the patched vulnerability. It seems like at best attackers will always be able to figure out what was patched, and the best we can do is slow them down.
It seems like at best attackers will always be able to figure out what was patched, and the best we can do is slow them down.
the article gives to ways, if you read it. 1) encrypt patches, then distribute, then provide decryption key. everyone can apply the patch simultaneously. 2) obfuscate. Though obfuscation is impossible [cmu.edu],
you can still make it really hard to analyze code.
yeah, this is a problem, but how do you fix it? (Score:1)
Re: (Score:1)