Low-Threat Patch Distribution

Software patches implicitly contain vulnerability information which may be abused to jeopardize the security of a system. At present, when a vendor supplies a binary program patch for some existing bug in a program, different users receive it at different points in time and even if all users receive it simultaneously, they might not install it at the same time. This lag or the differential application times of the patch creates a window of vulnerability extending from the time the first user receives the patch to the time when all users have installed the patch. An abuser who receives the patch earlier than some other users might disassemble the binary patch and figure out the problem for which the patch has been issued. Armed with this information about the program's weakness, he might be able to break into somebody else's machine or to abuse it in some other ways. Operating system programs that implement security policies and daemon programs are particularly vulnerable in this situation.

The risks involved in patch distribution can be completely eliminated in either of the following two ways:

1. Synchronize patch distribution and application so that all users receive and install the patch at the same time. But given the uncertainties of the present patch distribution channels and the varying degree of security-consciousness among users, the goal of achieving perfect synchrony in patch distribution and application seems impossible to attain.
2. Distribute the patch in such a form (instead of being binary machine instructions) that the user cannot understand its contents, but the hardware can. Obviously there is no software solution for this goal even with cryptographic techniques — we need some sort of hardware-embedded deciphering mechanism that feeds its output to the CPU.

We study at least four ways of reducing the risk associated to patch distribution. These include co-ordinated patch distribution, the use of pseudo-patches, code rearrangement and hardware-supported decryption.