TULiPS

Technology Usability Lab in Privacy and Security

Logo: Technology Usability Lab in Privacy and Security
Research Publications People Student Projects Wiki Outreach

Software Updates

Updating software is one of the most effective methods of protecting computers from security vulnerabilities, yet many people choose to not install them. In this project we look at all types of users to understand how people approach the problem of updating software and what potential solutions look like.

The automatic installation of updates is a contentious issue between end users, admins, and developers. End users want a safe and bother-free user experience. Security professionals want to see vulnerabilities patched as infected devices are often used to attack other systems and compromise the networks they are connected to. Software developers want to support fewer legacy installations. The result is conflicting goals.

End Users

End users are regularly asked to update all types of software including: mobile apps, applications, operating systems, and firmware on devices like robot vacumes. Our work talking to end-users suggests that they do not associate updates with security, unless the software being updated has an obvious security role, such as an anti-virus. Instead they update because they feel it is something they are supposed to do. Updates are seen as necessary to get new features, fix bugs, and ensure compatability with other technologies. End users do sometimes choose to "skip" an update or to stop updating all together. Common reasons tend to be related to risks of disruption including: unexpected user interface changes which then cost time learning new interactions, time required for the installation, potential instability of the new version, and loss of features.

System Administrators and Developers

Many serious security compromises could have been prevented using basic patch management, including WannaCry and the Experian data breach. Yet these systems are not being patched at nearly the rate we would like. This project looks at system administrators and endeavor to determine the barriers they face when attempting to keep a system updated.

Publications

  1. Out of the loop: How automated software updates cause unintended security consequences [bibtex]
    R. Wash, E. Rader, K. Vaniea, M. Rizor; In Symposium On Usable Privacy and Security (SOUPS). 2014.
  2. Betrayed By Updates: How Negative Experiences Affect Future Security [bibtex]
    K. Vaniea, E. Rader, R. Wash; In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2014.
  3. Tales of Software Updates: The process of updating software [bibtex]
    K. Vaniea, Y. Rashidi; In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. 2016.
  4. "Anyone Else Seeing this Error?": Community, System Administrators, and Patch Information (Preprint) [bibtex]
    A. Jenkins, P. Kalligeros, K. Vaniea, M.K. Wolters; In Proceedings of the European Symposium on Security and Privacy (EuroSP). 2020.

Talks

People

Current Prior

Funding

Research and projects here are partially funded by the following groups:

Related Student Projects

The following are projects completed by interns, undergraduate, and masters students related to the Software Update project.
Project screenshot.

Why don't admins patch their systems? Analysis of an email list archive

Pieris Kalligeros (2018-2019, Internship)

Supervisors: Kami Vaniea, Adam Jenkins

Regular application of patches (updates) is vital to the health of computer systems, but many system administrators either patch slowly or not at all. In this project, we looked at a mailing list archive where system administrators share advice about patching. The project involved building tools to automaticall download and parse the corpus, as well as qualitative coding approaches to understand the meaning of the content.

Project screenshot.

Use LDA and AutoNER to analyze and automatically extract patch issues

Jiaming Lyu (2018-2019, Masters Thesis)

Supervisor: Kami Vaniea

Keeping systems up to date and patched is a challenging job for a system administrator. While installing patches quickly is good for security, not all patches are safe to install as they may break important parts of the system. In this project, I propose a combinative method of using heuristics and Latent Dirichlet Allocation to identify which patches being discussed on a forum are safe to install and which patches have problems.

Project screenshot.

Use forum posts to detect which updates are experiencing problems

Qingyue Zhu (2018-2019, Masters Thesis)

Supervisor: Kami Vaniea

Patching systems quickly can fix system bugs and prevent security issues, however, it may also create new bugs and issues. In this work, I provide patch-issue information at the post level, stentence level, and feature level. My aim is to identify parts of forum posts that discuss patch issues to enable system adminstrators to quicly review only the information important to them and their system. To accomplish this I, used keyword lists to identify posts discussing problems and sentiment analysis to find sentences that express negative sentiment.

Project screenshot.

Meagle - Crowdsourced software data with community-moderated software reviews

Tom Macmichael (2016-2017, Undergraduate Thesis)

Supervisors: Sebastian Maneth, Kami Vaniea

Finding impartial information about a given piece of software is not easy: there is no single place users can visit to find and contribute information in a consistent manner. This project reated a new website called Meagle, that allows a community of users to review pieces of software with moderation so the best reviews are easy to find.

Project screenshot.

Building a website for users to rate software updates

Kayode Oduyemi (2016-2017, Undergraduate Thesis)

Supervisors: Sebastian Maneth, Kami Vaniea

End users are not particularly aware of the security implications of not installing updates. This project addresses the problem by creating a website where users can comment on and rate software updates.