Abstract
Secure and fast distribution of software updates and patches is essential for improving functionality and security of computer systems. Today, each device downloads updates individually from a software provider distribution server. Unfortunately, this approach does not scale to large systems with billions of devices where the network bandwidth of the server and the local Internet gateway become bottlenecks. Cache-enabled Network (CN) services (either proprietary, as Akamai, or open Content-Distribution Networks) can reduce these bottlenecks. However, they do not offer security guarantees against potentially untrusted CN providers that try to threaten the confidentiality of the updates or the privacy of the users. In this paper, we propose Updaticator, the first protocol for software updates over Cache-enabled Networks that is scalable to billions of concurrent device updates while being secure against malicious networks. We evaluate our proposal considering Named-Data Networking, a novel instance of Cache-enabled overlay Networks. Our analysis and experimental evaluation show that Updaticator removes the bottlenecks of individual device-update distribution, by reducing the network load at the distribution server: from linear in the number of devices to a constant, even if billions of devices are requesting updates. Furthermore, when compared to the state-of-the-art individual device-update mechanisms, the download time with Updaticator is negligible, due to local caching.
Chapter PDF
Similar content being viewed by others
Keywords
References
2013 US-CERT Techical Security Alerts, http://www.us-cert.gov/ncas/alerts/2013
Akamai Content Delivery Network, http://www.akamai.com
Akamai Secure Content Delivery, http://www.akamai.com/dl/feature_sheets/fs_edgesuite_securecontentdelivery.pdf
Adelsbach, A., Huber, U., Sadeghi, A.-R.: Secure Software Delivery and Installation in Embedded Systems. In: Deng, R.H., Bao, F., Pang, H., Zhou, J. (eds.) ISPEC 2005. LNCS, vol. 3439, pp. 255–267. Springer, Heidelberg (2005)
Bellissimo, A., Burgess, J., Fu, K.: Secure Software Updates: Disappointments and New Challenges. In: 1st USENIX Workshop on Hot Topics in Security, pp. 37–43. USENIX Association, Berkeley (2006)
Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-Policy Attribute-Based Encryption. In: 2007 IEEE Symposium on Security and Privacy, pp. 321–334. IEEE Computer Society, Washington (2007)
Boneh, D., Gentry, C., Waters, B.: Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005)
Cameron, D., Liu, J.: apt-p2p: A Peer-to-Peer Distribution System for Software Package Releases and Updates. In: 28th IEEE Conference on Computer Communications, pp. 864–872. IEEE, New York (2009)
Cpabe toolkit, http://hms.isi.jhu.edu/acsc/cpabe/#documentation
Delerablée, C., Paillier, P., Pointcheval, D.: Fully Collusion Secure Dynamic Broadcast Encryption with Constant-Size Ciphertexts or Decryption Keys. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 39–59. Springer, Heidelberg (2007)
Deutsches forschungsnetz (DFN), https://www.dfn.de/en/
Direct Code Execution (DCE), https://www.nsnam.org/overview/projects/direct-code-execution/
Dolev, D., Yao, A.C.: On the Security of Public Key Protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)
Gkantsidis, C., Karagiannis, T., Vojnovic, M.: Planet Scale Software Updates. In: 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 423–434. ACM, New York (2006)
Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based Encryption for Fine-grained Access Control of Encrypted Data. In: 13th ACM Conference on Computer and Communications Security, pp. 89–98. ACM, New York (2006)
Guo, F., Mu, Y., Susilo, W., Wong, D.S., Varadharajan, V.: CP-ABE With Constant-Size Keys for Lightweight Devices. IEEE Transactions on Information Forensics and Security 9(5), 763–771 (2014)
Halevy, D., Shamir, A.: The LSD Broadcast Encryption Scheme. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 47–60. Springer, Heidelberg (2002)
Heartbleed SSL protocol vulnerability, https://www.schneier.com/blog/archives/2014/04/heartbleed.html
Jacobson, V., Smetters, D.K., Thornton, J.D., Plass, M.F., Briggs, N.H., Braynard, R.L.: Networking Named Content. In: 5th International Conference on Emerging Networking Experiments and Technologies, pp. 1–12. ACM, New York (2009)
Misra, S., Tourani, R., Majd, N.E.: Secure Content Delivery in Information-centric Networks: Design, Implementation, and Analyses. In: 3rd ACM SIGCOMM Workshop on Information-centric Networking, pp. 73–78. ACM, New York (2013)
Named-Data Networking Project (NDN), http://named-data.org
NDNx Documentation - Interest Message, http://named-data.net/doc/0.1/technical/InterestMessage.html
NDNx – NDN protocol implementation, http://named-data.net/codebase/platform/moving-to-ndnx/
NS-3 Simulator, https://www.nsnam.org/
Nilsson, D.K., Roosta, T., Lindqvist, U., Valdes, A.: Key Management and Secure Software Updates in Wireless Process Control Environments. In: 1st ACM Conference on Wireless Network Security, pp. 100–108. ACM, New York (2008)
Open Mobile Alliance. DRM Specification ver. 2.2, Technical Report (2011)
OpneSSL project, https://www.openssl.org/
Ostrovsky, R., Sahai, A., Waters, B.: Attribute-based Encryption with Non-monotonic Access Structures. In: 14th ACM Conference on Computer and Communications Security, pp. 195–203. ACM, New York (2007)
Philips Hue, http://meethue.com/
Sahai, A., Waters, B.: Fuzzy Identity-based Encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005)
Samuel, J., Mathewson, N., Cappos, J., Dingledine, R.: Survivable Key Compromise in Software Update Systems. In: 17th ACM Conference on Computer and Communications Security, pp. 61–72. ACM, New York (2010)
thttpd web server, http://www.acme.com/software/thttpd
Windows Azure, http://www.windowsazure.com/en-us/
Yu, S., Wang, C., Ren, K., Lou, W.: Attribute Based Data Sharing with Attribute Revocation. In: 5th ACM Symposium on Information, Computer and Communications Security, pp. 261–270. ACM, New York (2010)
Zhiqian, X., Martin, K.M.: Dynamic User Revocation and Key Refreshing for Attribute-Based Encryption in Cloud Storage. In: 11th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 844–849. IEEE, New York (2012)
Zhou, Z., Huang, D., Wang, Z.: Efficient Privacy-Preserving Ciphertext-Policy Attribute Based Encryption and Broadcast Encryption. IEEE Transactions on Computers PP(99) (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Ambrosin, M., Busold, C., Conti, M., Sadeghi, AR., Schunter, M. (2014). Updaticator: Updating Billions of Devices by an Efficient, Scalable and Secure Software Update Distribution over Untrusted Cache-enabled Networks. In: Kutyłowski, M., Vaidya, J. (eds) Computer Security - ESORICS 2014. ESORICS 2014. Lecture Notes in Computer Science, vol 8712. Springer, Cham. https://doi.org/10.1007/978-3-319-11203-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-11203-9_5
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11202-2
Online ISBN: 978-3-319-11203-9
eBook Packages: Computer ScienceComputer Science (R0)