Dumitras Receives NSF Award to Study Software Update Vulnerabilities
Tudor Dumitras (ECE/ UMIACS/ Maryland Cybersecurity Center ) has received a National Science Foundation (NSF) award to study how well software updating mechanisms work.
The two-year award for approximately $175,000 is part of the NSF’s Secure and Trustworthy Cyberspace (SaTC) program. The funding also falls under the NSF CISE Research Initiation Initiative (CRII), given to talented young faculty who are in their first two years of a tenure-track academic position.
“Tudor was one of four new faculty to join the Maryland Cybersecurity Center almost two years ago. All of them are performing exceedingly well, and this particular award is representative of that,” says Jonathan Katz, director of MC2.
The research funded by the SaTC grant will look at the “timeliness” of organizations protecting their cyber infrastructure with security patches.
In order to prevent cyber attacks, security updates should be installed as soon as the software vendor releases them, Dumitras says. But often there are times when—for a variety of reasons—updates are not applied in a timely manner, giving cybercriminals the opportunity to exploit a system.
“This is important because software updates often include patches to vulnerabilities that if left unpatched, would allow hackers to access those systems,” he says.
For example, Dumitras says, popular applications like Web browsers, media players or document editors and readers often have vulnerabilities that may allow criminals to steal sensitive information like passwords, credit card numbers or medical records, or to control those hosts remotely for sending spam or for launching other cyber attacks.
Dumitras, working with second-year electrical and computer engineering doctoral student Ziyun Zhu, will use the SaTC funding to conduct research that examines how quickly software updates are deployed on millions of hosts around the world, as well as what causes updating delays.
The team will then build mathematical models to quantify the trade-offs between reliability and security when updating software.
“We’re trying to see if patch deployment is more like physical laws, which we know can be described using elegant mathematical equations,” Dumitras says. “Or, if it’s more like the weather, which is governed by interactions that are too complex to be modeled accurately.”
“This is important because software updates often include patches to vulnerabilities that if left unpatched, would allow hackers to access those systems."
Dumitras and Zhu are working to come up with mathematical models for patch deployment so they can predict what the window of vulnerability will be for future exploits. Their work may also highlight opportunities for improving software-update mechanisms.
Dumitras plans to disseminate the results from the SaTC project through workshops, by releasing data sets with augmented information about software vulnerabilities, and by collaborating with industry partners to evaluate the proposed techniques in real-world settings.
To read more about the SaTC project, go here.
To see a video overview of cybersecurity work by Dumitras, go here.
—Story by Melissa Brachfeld
Published May 15, 2015