SolarWinds and the Challenges of Patching: Can We Ever Stop Dancing with the Devil?

Fabio Massacci, Trent Jaeger

Research output: Contribution to JournalComment / Letter to the editorAcademic

Original languageEnglish
Article number9382358
Pages (from-to)14-19
Number of pages6
JournalIEEE Security and Privacy
Volume19
Issue number2
Early online date22 Mar 2021
DOIs
Publication statusPublished - Mar 2021

Bibliographical note

Funding Information:
For example, to help customers to lag behind the threats. How ven-avoid compromises from updated dors can adopt safeguards into features, existing functionalities their development processes more may be protected from new and quickly and effectively remains a modified ones by using isolation major challenge. techniques, such as privilege sepa- ration.12 Automated support for Joint Conclusions privilege-separating programs is gnoring updates is a gamble, advancing. For example, we have I much as applying updates is a developed techniques that auto-gamble. In either case, this roll of mate the marshaling of dynamically the dice is a symptom of our insuffi-sized data structures (e.g., arrays)13 cient approaches to software devel-and enable developers to balance opment and maintenance on one performance and security.14 side and intrusion detection and However, if updated features confinement on the other. We all require access to sensitive data, have more work to do to gain the privilege separation cannot pro-benefits of software and its updates tect that information. In this case, without the risk. The SolarWinds vendors must comprehensively vet hack is a wakeup call that a silver those updates. One approach is to bullet does not exist and that inno-automate patching mechanisms to vative mixes of technical, organi-meet security properties. For exam-zational, and regulatory solutions ple, we have recent work to validate might be the way forward. We look that patches comply with memory forward to hearing your opinions. safety,15 although a more extensive set of properties will be required. Acknowledgments In addition to failings in the sup-Fabio Massacci’s work was supply chain, intrusion detection sys-ported, in part, by the European tems (IDSs) also failed to detect the Commission, through grants SolarWinds attack. According to a 830929 (H2020-CyberSec4Europe, summary by FireEye,16 the SUN-https://cybersec4europe.eu) and BURST back door communicated 952647 (H2020-AssureMOSS, with third-party servers via HTTP. https://assuremoss.eu). Trent Jae-Since HTTP requests to arbitrary ger’s work was sponsored by the servers are common, the firewall U.S. Army Combat Capabilities and the IDS did not flag this behav-Development Command Army ior. Such conduct was likely unex-Research Laboratory and was pected in the context of any updated accomplished under Cooperative SolarWinds feature. This shows Agreement W911NF-13-2-0045 that there is still a significant gap (ARL Cyber Security CRA) and between application anomalies and National Science Foundation grants what can be recognized by IDSs. CNS-1801534 and CNS-1801601. We have proposed an approach The views and conclusions con-that makes IDSs sensitive to threats tained in this document are those in the program, host, and network of the authors and should not be layers17 to improve the context interpreted as representing the offi-awareness of detection methods. cial policies, either expressed or However, each of these directions implied, of the Combat Capabili-remains a single point in a multidi-ties Development Command Army mensional space of in-depth defense Research Laboratory, the U.S. Gov-that will be required to prevent ernment, or the European Com-future attacks. Software vendors are mission. The U.S. Government is slowly adopting these defenses, but authorized to reproduce and dis-the rate of improvement continues tribute reprints for Government purposes notwithstanding any copyright notation here on.

Copyright:
Copyright 2021 Elsevier B.V., All rights reserved.

Funding

For example, to help customers to lag behind the threats. How ven-avoid compromises from updated dors can adopt safeguards into features, existing functionalities their development processes more may be protected from new and quickly and effectively remains a modified ones by using isolation major challenge. techniques, such as privilege sepa- ration.12 Automated support for Joint Conclusions privilege-separating programs is gnoring updates is a gamble, advancing. For example, we have I much as applying updates is a developed techniques that auto-gamble. In either case, this roll of mate the marshaling of dynamically the dice is a symptom of our insuffi-sized data structures (e.g., arrays)13 cient approaches to software devel-and enable developers to balance opment and maintenance on one performance and security.14 side and intrusion detection and However, if updated features confinement on the other. We all require access to sensitive data, have more work to do to gain the privilege separation cannot pro-benefits of software and its updates tect that information. In this case, without the risk. The SolarWinds vendors must comprehensively vet hack is a wakeup call that a silver those updates. One approach is to bullet does not exist and that inno-automate patching mechanisms to vative mixes of technical, organi-meet security properties. For exam-zational, and regulatory solutions ple, we have recent work to validate might be the way forward. We look that patches comply with memory forward to hearing your opinions. safety,15 although a more extensive set of properties will be required. Acknowledgments In addition to failings in the sup-Fabio Massacci’s work was supply chain, intrusion detection sys-ported, in part, by the European tems (IDSs) also failed to detect the Commission, through grants SolarWinds attack. According to a 830929 (H2020-CyberSec4Europe, summary by FireEye,16 the SUN-https://cybersec4europe.eu) and BURST back door communicated 952647 (H2020-AssureMOSS, with third-party servers via HTTP. https://assuremoss.eu). Trent Jae-Since HTTP requests to arbitrary ger’s work was sponsored by the servers are common, the firewall U.S. Army Combat Capabilities and the IDS did not flag this behav-Development Command Army ior. Such conduct was likely unex-Research Laboratory and was pected in the context of any updated accomplished under Cooperative SolarWinds feature. This shows Agreement W911NF-13-2-0045 that there is still a significant gap (ARL Cyber Security CRA) and between application anomalies and National Science Foundation grants what can be recognized by IDSs. CNS-1801534 and CNS-1801601. We have proposed an approach The views and conclusions con-that makes IDSs sensitive to threats tained in this document are those in the program, host, and network of the authors and should not be layers17 to improve the context interpreted as representing the offi-awareness of detection methods. cial policies, either expressed or However, each of these directions implied, of the Combat Capabili-remains a single point in a multidi-ties Development Command Army mensional space of in-depth defense Research Laboratory, the U.S. Gov-that will be required to prevent ernment, or the European Com-future attacks. Software vendors are mission. The U.S. Government is slowly adopting these defenses, but authorized to reproduce and dis-the rate of improvement continues tribute reprints for Government purposes notwithstanding any copyright notation here on.

FundersFunder number
firewall U.S. Army Combat Capabilities
Horizon 2020 Framework Programme952647

    Cite this