28 Apr 2016 - Alastair Beresford

Abstract

Writing vulnerability-free code is currently impossible. The best we can hope for is whack-a-mole security. In other words, fixing bugs and updating Internet-enabled devices before remote exploitation occurs. Unfortunately, security updates are not always delivered in a timely fashion, or at all. Drawing on data gathered about the Android ecosystem, we find that, over a four year period, 87.7% of Android devices are, on average, exposed to at least one of 11 known critical operating system vulnerabilities. The story at the app level is also worrying, where we predict that the fix for the Java-to-JavaScript bridge flaw will take over 5 years to reach 95% of devices. The talk finishes with a discussion on how to improve incentives to encourage better performance in the production and delivery of security updates for Internet-enabled devices.

Apr 28 2016 -

28 Apr 2016 - Alastair Beresford

Whack-a-mole security: incentivising the production, delivery and installation of security updates

Informatics Forum room 4.31/33