| Summary: | 碩士 === 國立中央大學 === 資訊工程學系 === 103 === In recent decades, more and more applications use auto-upgrade mechanism to update their own program. Despite the fact that Auto-Upgrade mechanism make upgrade application simple and convenient for the end user, but few people concern about the security vulnerabilities when implementing such mechanism.
However, recently more and more cases shows up and suggest that the Auto-Upgrade mechanism is not as secure as we think. In this paper we shows that not only Auto-Upgrade mechanism has some critical security weaknesses, but the attacker can also use these security weaknesses to compromise the end users' system. This kind of attack allows an attacker to install malicious software into victims system without the end user’s awareness.
Instead of using HTTPS to prevent this kind of attack, in this paper, we also recommended a defense mechanism approach which not only secure the Auto-Upgrade mechanism, but with much lower performance impact compare to HTTPS.
|
|---|
