Securing Decentralized Software Installation and Updates

Software installation and updates have become simpler for end users in recent years. The commoditization of the internet has enabled users to obtain more software than ever before from more developers than ever before. Additionally, software installation now requires less input from users, allowing installation with merely a single click or tap. At the same time, different software installation models with varying levels of security, usability and freedom have emerged. In centralized environments, available software is limited by an authority, whereas decentralized environments allow users and developers to interact freely. Decentralized software installation ecosystems pose the most significant security challenges due to the lack of centralized control. In this thesis we identify, through systematic evaluation of prominent systems, limitations in the way operating systems provide security guarantees (including verification of integrity, authentication, and establishment of trust) in decentralized software installation environments. We address these limitations by designing tools and protocols that help secure software installation and updates at each of the three installation stages (software discovery, initial install and updates, and enforcing security policies). Specifically, we propose a cryptographically verifiable protocol for developers to delegate digital signature privileges to other certificates (possibly owned by other developers) without requiring a centrally trusted public key infrastructure. Our proposal allows trust to be delegated during software updates without user involvement. We also propose a flexible policy for developers to authenticate and share privileges amongst applications being executed simultaneously on a device. We evaluate these proposals and show that they are direct improvements over currently deployed real-world systems. We discuss the design and implementation of an install-time architecture allowing users to query crowdsourced expert information sources to gain trust in software they are about to install. We motivate the requirements for such a system, designed to mirror the security semantics of centralized environments. The proposed protocols and tools have been implemented as proofs-of-concept using Google's Android mobile operating system. We leverage a large application dataset to inform our design decisions and demonstrate backward compatibility with existing applications. While the implementations are specific to Android, we discuss how our general proposals extend to other decentralized environments.