Revamping Security Patching with Virtual Patches

Security patching is the only widely-deployed proactive defense against software vulnerabilities. Yet people don't apply security patches. The primary reason is that patches are unreliable, disruptive, and often hard to uninstall. Considering that ~90% of attacks exploit known vulnerabilities, we need to rethink how we create and apply security patches.

In this talk, I'll present a new type of patch called a ``virtual patch''. A virtual patch is a software patch with two clearly denoted parts: (1) a check and (2) a fix. By isolating the check in its own protection domain, a virtual patch provides a strong safety guarantee: the patch will not side-effect the application until the vulnerability is triggered. Moreover, since a virtual patch is simply a check followed by a fix, it can be inserted into a running application without requiring a restart. Finally, a virtual patch does not make any changes to the user's system and therefore it can be easily uninstalled.