Des correctifs de securite a la mise a jour

TL;DR

This paper introduces an integrated system enabling remote, on-the-fly security updates of applications without user intervention, using dynamic binary rewriting and patch management tools.

Contribution

It presents Arachne, an aspect weaving system for dynamic binary rewriting, and Minerve, a tool integrating Arachne into standard update processes for seamless security patch deployment.

Findings

Enables real-time security updates without stopping applications

Allows auditing of patches through a dedicated language

Facilitates deployment of critical security patches remotely

Abstract

The ever growing software complexity suggests that they will never be bugfree and therefore secure. Software compagnies regulary publish updates. But maybe because of lack of time or care or maybe because stopping application is annoying, such updates are rarely if ever deployed on users' machines. We propose an integrated tool allowing system administrators to deploy critical security updates on the fly on applications running remotly without end-user intervention. Our approach is based on an aspect weaving system, Arachne, that dynamicaly rewrites binary code. Hence updated applications are still running while they are updated. Our second tool Minerve integrates Arachne within the standart updating process: Minerve takes a patch produced by dif and eventually builds a dynamic patch that can later be woven to update the application on the fly. In addition, Minerve allows to consult patches translated in a dedicated language and hence eases auditing tasks.