Secure Software Updates: Update Like Conficker

The presentation
Software updates are an often forgotten backbone of modern software. The one constant for a piece of deployed software is that it will need to be updated for bugs, security issues and feature additions. Distributing a software update to thousands or even millions of users is a difficult task. There are severe reliability and security challenges. Most applications don't do it right. The recent Conficker worm's update mechanism is a case study of how to create a resilient, cryptographically sound, update mechanism that can defeat legions of Internet infrastructure administrators and malicious attackers attempting to stop or take over the botnet. Google's recently open sourced desktop software update mechanism will be examined as well. These update mechanisms will be compared with the typical, insecure, software update mechanism. These mechanisms usually only provide integrity for their updates, which is not good enough to create a trusted update mechanism. The presentation will focus on how and why to provide authenticity, integrity and even confidentiality in your software update mechanisms.

The speaker
Jeremy Allen is currently a Senior Software Security Consultant for Foundstone Inc. (a division of McAfee). Jeremy is responsible for conducting threat modeling, code reviews, reverse engineering and application security assessments. He also assists clients with building security into their software development lifecycle (S-SDLC). Jeremy is an instructor for the Building Secure Software and Writing Secure Code: Java courses. For Foundstone, Jeremy has conducted source code reviews in C and C++, Java and C# including both kernel mode and application software. He has also performed reverse engineering and debugging of unknown malicious binaries and rootkits to determine their functionality and how they interacted with the hosts they infected. Jeremy has also authored and contributed to a variety Secure Software Development Life Cycle documents for corporations with large software development practices and performed application penetration testing against large enterprise applications.