Survivable Key Compromise in Software Update Systems
Today's software update systems have little or no defense against key compromise. As a result, key compromises have put millions of software update clients at risk. Here, the authors identify three classes of information whose authenticity and integrity are critical for secure software updates. Analyzing existing software update systems with their framework, they find their ability to communicate this information securely in the event of a key compromise to be weak or nonexistent. They also find that the security problems in current software update systems are compounded by inadequate trust revocation mechanisms. They identify core security principles that allow software update systems to survive key compromise.