Scalable trust establishment with software reputation

Sven Bugiel, Lucas Vincenco Davi, Steffen Schulz
2011 Proceedings of the sixth ACM workshop on Scalable trusted computing - STC '11  
Users and administrators are often faced with the choice between different software solutions, sometimes even have to assess the security of complete software systems. With sufficient time and resources, such decisions can be based on extensive testing and review. However, in practice this is often too expensive and time consuming: When a user decides between two alternative software solutions or a verifier should assess the security of a complete software system during remote attestation, such
more » ... assessments should happen almost in realtime. In this paper, we present a pragmatic, but highly scalable approach for the trustworthiness assessment of software programs based on their security history. The approach can be used to, e.g. automatically sort programs in an App store by their security record or on top of remote attestation schemes that aim to access the trustworthiness of complex software configurations. We implement our approach for the popular Debian GNU/Linux system, using publicly available information from open-source repositories and vulnerability databases. Our evaluation shows reasonable prediction accuracy for the more vulnerable packets and good accuracy when considering entire system installations.
doi:10.1145/2046582.2046587 dblp:conf/ccs/BugielD011 fatcat:znox37ei3rb5pnzvz3fnegctee