Are Patched Machines Really Fixed?
R. Gardner, M. Bishop, and T. Kohno, “Are Patched Machines Really Fixed?,” IEEE Security and Privacy 7(5) pp. 82–88 (Sep. 2009).
- Published version, paper paywalled at IEEE Explore: [DOI] [URL]
- Authors’ final version:
Updating and patching has become a ubiquitous part of software maintenance, with particular importance to security. It’s especially crucial when the systems in question perform vital functions and security compromises might yield drastic consequences. Unfortunately, updates intended to remediate security problems are sometimes incomplete, are flawed, or introduce new vulnerability themselves. The authors present several examples of such instances in a widely used electronic voting system, a device for which security is critical. A central lesson of the study is that evaluating a system’s security by examining changes between revisions is insufficient; you must evaluate and analyze the system as a whole.