THE NATIONAL ACADEMIES PRESS 500 Fifth Street, NW Washington, DC 20001
This project was supported by the National Science Foundation under award number CNS-14194917 and the National Institute of Standards and Technology under award number 60NANB16D311. Any opinions, findings, conclusions, or recommendations expressed in this publication do not necessarily reflect the views of any organization or agency that provided support for this project.
International Standard Book Number-13: 978-0-309-46288-4
International Standard Book Number-10: 0-309-46288-6
Digital Object Identifier: https://doi.org/10.17226/24833
Additional copies of this publication are available for sale from the National Academies Press, 500 Fifth Street, NW, Keck 360, Washington, DC 20001; (800) 624-6242 or (202) 334-3313; http://www.nap.edu.
Copyright 2017 by the National Academy of Sciences. All rights reserved.
Printed in the United States of America
Suggested citation: National Academies of Sciences, Engineering, and Medicine. 2017. Software Update as a Mechanism for Resilience and Security: Proceedings of a Workshop. Forum on Cyber Resilience Workshop Series. Washington, DC: The National Academies Press. doi: https://doi.org/10.17226/24833.
Consensus Study Reports published by the National Academies of Sciences, Engineering, and Medicine document the evidence-based consensus on the study’s statement of task by an authoring committee of experts. Reports typically include findings, conclusions, and recommendations based on information gathered by the committee and the committee’s deliberations. Each report has been subjected to a rigorous and independent peer-review process and it represents the position of the National Academies on the statement of task.
Proceedings published by the National Academies of Sciences, Engineering, and Medicine chronicle the presentations and discussions at a workshop, symposium, or other event convened by the National Academies. The statements and opinions contained in proceedings are those of the participants and are not endorsed by other participants, the planning committee, or the National Academies.
For information about other products and activities of the National Academies, please visit www.nationalacademies.org/about/whatwedo.
FORUM ON
Cyber
Resilience
WORKSHOP SERIES
Software Update as a Mechanism
for Resilience and Security
PROCEEDINGS OF A WORKSHOP
Anne Frances Johnson and Lynette I. Millett, Rapporteurs
THE NATIONAL ACADEMIES PRESS
Washington, DC
www.nap.edu
The National Academy of Sciences was established in 1863 by an Act of Congress, signed by President Lincoln, as a private, nongovernmental institution to advise the nation on issues related to science and technology. Members are elected by their peers for outstanding contributions to research. Dr. Marcia McNutt is president.
The National Academy of Engineering was established in 1964 under the charter of the National Academy of Sciences to bring the practices of engineering to advising the nation. Members are elected by their peers for extraordinary contributions to engineering. Dr. C. D. Mote, Jr., is president.
The National Academy of Medicine (formerly the Institute of Medicine) was established in 1970 under the charter of the National Academy of Sciences to advise the nation on medical and health issues. Members are elected by their peers for distinguished contributions to medicine and health. Dr. Victor J. Dzau is president.
The three Academies work together as the National Academies of Sciences, Engineering, and Medicine to provide independent, objective analysis and advice to the nation and conduct other activities to solve complex problems and inform public policy decisions. The National Academies also encourage education and research, recognize outstanding contributions to knowledge, and increase public understanding in matters of science, engineering, and medicine.
Learn more about the National Academies of Sciences, Engineering, and Medicine at www.nationalacademies.org.
COMMITTEE ON CYBER RESILIENCE WORKSHOP SERIES
FRED B. SCHNEIDER, NAE,1 Cornell University, Chair
ANITA ALLEN, NAM,2 University of Pennsylvania
ERIC GROSSE, Independent Consultant
BUTLER W. LAMPSON, NAS3/NAE, Microsoft Corporation
SUSAN LANDAU, Worcester Polytechnic Institute
Staff
LYNETTE I. MILLETT, Director, Forum on Cyber Resilience
EMILY GRUMBLING, Program Officer
SHENAE BRADLEY, Senior Program Assistant
___________________
1 National Academy of Engineering.
2 National Academy of Medicine.
3 National Academy of Sciences.
FORUM ON CYBER RESILIENCE
FRED B. SCHNEIDER, NAE, Cornell University, Chair
ANITA ALLEN, NAM, University of Pennsylvania
BOB BLAKLEY, CitiGroup
FRED CATE, Indiana University
DAVID D. CLARK, NAE, Massachusetts Institute of Technology
RICHARD DANZIG, Johns Hopkins University Applied Physics Laboratory
ERIC GROSSE, Independent Consultant
DAVID HOFFMAN, Intel Corporation
PAUL KOCHER, Cryptography Research, Inc.
TADAYOSHI KOHNO, University of Washington
BUTLER W. LAMPSON, NAS/NAE, Microsoft Corporation
SUSAN LANDAU, Worcester Polytechnic Institute
STEVEN B. LIPNER, NAE, Independent Consultant
DEIRDRE K. MULLIGAN, University of California, Berkeley
TONY SAGER, Center for Internet Security
WILLIAM SANDERS, University of Illinois, Urbana-Champaign
PETER SWIRE, Georgia Institute of Technology
DAVID VLADECK, Georgetown University
MARY ELLEN ZURKO, Independent Cybersecurity Consultant
Ex Officio
DONNA F. DODSON, National Institute for Standards and Technology
JAMES KUROSE, National Science Foundation
WILLIAM B. MARTIN, National Security Agency
Staff
LYNETTE I. MILLETT, Director
EMILY GRUMBLING, Program Officer
KATIRIA ORTIZ, Research Associate
SHENAE BRADLEY, Administrative Assistant
For more information about the Forum, see its website at http://www.cyber-forum.org, or e-mail the Forum at cyberforum@nas.edu.
COMPUTER SCIENCE AND TELECOMMUNICATIONS BOARD
FARNAM JAHANIAN, Carnegie Mellon University, CSTB Chair
LUIZ ANDRÉ BARROSO, Google, Inc.
STEVEN M. BELLOVIN, NAE, Columbia University
ROBERT F. BRAMMER, Brammer Technology, LLC
DAVID CULLER, NAE, University of California, Berkeley
EDWARD FRANK, Cloud Parity, Inc.
LAURA HAAS, NAE, IBM Corporation
MARK HOROWITZ, NAE, Stanford University
ERIC HORVITZ, NAE, Microsoft Corporation
VIJAY KUMAR, NAE, University of Pennsylvania
BETH MYNATT, Georgia Institute of Technology
CRAIG PARTRIDGE, Raytheon BBN Technologies
DANIELA RUS, NAE, Massachusetts Institute of Technology
FRED B. SCHNEIDER, NAE, Cornell University
MARGO SELTZER, Harvard University
JOHN STANKOVIC, University of Virginia
MOSHE VARDI, NAS/NAE, Rice
KATHERINE YELICK, NAE, University of California, Berkeley
Staff
JON EISENBERG, Director
LYNETTE I. MILLETT, Associate Director
VIRGINIA BACON TALATI, Program Officer
SHENAE BRADLEY, Administrative Assistant
JANEL DEAR, Senior Program Assistant
EMILY GRUMBLING, Program Officer
RENEE HAWKINS, Financial and Administrative Manager
KATIRIA ORTIZ, Research Associate
For more information on CSTB, see its website at http://www.cstb.org, write to CSTB, National Research Council, 500 Fifth Street, NW, Washington, DC 20001, call (202) 334-2605, or e-mail the CSTB at cstb@nas.edu.
ACKNOWLEDGMENT OF REVIEWERS
This Proceedings of a Workshop was reviewed in draft form by individuals chosen for their diverse perspectives and technical expertise. The purpose of this independent review is to provide candid and critical comments that will assist the National Academies of Sciences, Engineering, and Medicine in making each published proceedings as sound as possible and to ensure that it meets the institutional standards for quality, objectivity, evidence, and responsiveness to the charge. The review comments and draft manuscript remain confidential to protect the integrity of the process.
We thank the following individuals for their review of this proceedings:
Edward Felten, Princeton University,
Kevin Fu, University of Michigan,
William Sanders, University of Illinois, Urbana, Champaign, and
Mary Ellen Zurko, Independent Cybersecurity Consultant.
Although the reviewers listed above provided many constructive comments and suggestions, they were not asked to endorse the content of the proceedings nor did they see the final draft before its release. The review of this proceedings was overseen by Steven M. Bellovin, NAE,1 Columbia University. He was responsible for making certain that an independent examination of this proceedings was carried out in accordance with standards of the National Academies and that all review comments were carefully considered. Responsibility for the final content rests entirely with the rapporteurs and the National Academies.
___________________
1 National Academy of Engineering.
Preface
The Forum on Cyber Resilience—a roundtable established in 2015 by the National Academies of Sciences, Engineering, and Medicine—facilitates and enhances the exchange of ideas among scientists, practitioners, and policy makers who are concerned with urgent and important issues related to the resilience of the nation’s computing and communications systems, including the Internet, other critical infrastructures, and commercial systems. Forum activities help inform and engage a broad range of stakeholders around issues involving technology and policy related to cyber resilience, cybersecurity, privacy, and related emerging issues. A key role for the Forum is to surface and explore topics that advance the national conversation.
In 2016, the Forum held a workshop exploring the topic of cryptographic agility and its implications for security and resilience. That workshop was summarized in Cryptographic Agility and Interoperability: Proceedings of a Workshop. Discussions during and subsequent to that workshop made clear that software update is an important mechanism by which security changes and improvements are made in software. Preliminary conversations among members revealed that this seemingly simple concept encompasses a wide variety of practices, mechanisms, policies, and technologies.
To explore the landscape further, the Forum decided to host a workshop. The workshop featured invited speakers from government, the private sector, and academia. This proceedings summarizes presentations made by invited speakers and other remarks by workshop participants. In keeping with the workshop’s exploratory
purpose, the proceedings does not contain findings or recommendations. Nor, in keeping with National Academies guidelines for workshop proceedings, does it necessarily report consensus views of the workshop participants or organizing committee. A planning group appointed to oversee all Forum workshops was limited to planning the workshop, and this workshop proceedings was prepared by the workshop rapporteurs and Forum staff as a factual summary of what occurred at the workshop. The document draws on prepared remarks of workshop speakers, comments made by workshop participants, and ensuing discussions.
The introductory section summarizes the introduction to the workshop and reproduces background material provided to all participants. Chapters 1 through 10 summarize speaker presentations. Chapter 11 describes the content of the final plenary discussion, highlighting some of the broader themes that emerged throughout the workshop. An Afterword offers additional commentary on the policy and technical aspects of the software update challenge. The agenda of the workshop is in Appendix A. Short biosketches of the planning group and speakers appear in Appendixes B and C, respectively.
My sincere thanks to the planning group, Forum members, and staff who helped organize the workshop, as well as to the invited speakers for their thoughtful remarks and enthusiastic participation in the discussions that ensued. Writing support was provided by Anne Frances Johnson and Kathleen Pierce, Creative Science Writing. Special thanks to Eric Grosse for his contributions to the Afterword. I also extend our appreciation to the National Science Foundation, the National Security Agency, the Special Cyber Operations Research and Engineering Working Group, and the National Institute of Standards and Technology for their support and encouragement of Forum activities.
Fred B. Schneider, Chair
Forum on Cyber Resilience
Contents
1 POLICY CONSIDERATIONS:
THE INTERSECTION OF PUBLIC VALUES AND PRIVATE INFRASTRUCTURE
Policy Considerations for Creating an Update Infrastructure
Key Challenges Involved in Creating an Update Infrastructure
Guiding Principles for Cybersecurity
Key Players and the Need for Dialogue
The Challenge of Keeping Up With the Pace of Technological Advancement
2 TECHNICAL CONSIDERATIONS FOR SECURE SOFTWARE UPDATES
Vulnerabilities in Older Systems
Special Concerns for Embedded Medical Devices
Legal Mechanisms for Disclosure and Updates
Other Potential Solutions to Address Vulnerability
3 MICROSOFT’S APPROACH TO SOFTWARE UPDATES
A New Model for Building and Delivering Updates
Quality Updates Versus Feature Updates
Behind the Scenes on “Update Tuesday”
4 UPDATE ISSUES FOR OPEN-SOURCE SOFTWARE
Inherent Challenges to Securing Open-Source Software
Dealing with the Fear of Destabilization
Open Source in the Internet of Things
5 CISCO’S APPROACH TO SOFTWARE UPDATES
6 ENSURING ROBUST FIRMWARE UPDATES
Unique Attributes of SEL’s Market Space
Managing Firmware and Software Updates
Other Mechanisms for Maintaining Secure Systems
Fostering Development Expertise and Broader Lessons for the Software Industry
7 UPDATES IN THE CONSUMER ELECTRONICS INDUSTRY
Challenges from Using Off-the-Shelf Components
Additional Technical Complexities
8 SOFTWARE UPDATES IN AUTOMOTIVE ELECTRONIC CONTROL UNITS
History of Electronic Control Units
The Challenge of Limited Networking Capabilities
Other Challenges to Software Delivery
9 THE NIST PERSPECTIVE ON SOFTWARE UPDATES
10 PROTECTING CONSUMERS FROM SOFTWARE UPDATE RISKS
A Workshop Agenda and Participants List