Risk Assessment of Buffer "Heartbleed" Over-Read Vulnerabilities
نویسندگان
چکیده
Buffer over-read vulnerabilities (e.g., Heartbleed) can lead to serious information leakage and monetary lost. Most of previous approaches focus on buffer overflow (i.e., overwrite), which are either infeasible (e.g., canary) or impractical (e.g., bounds checking) in dealing with over-read vulnerabilities. As an emerging type of vulnerability, people need in-depth understanding of buffer over-read: the vulnerability, the security risk and the defense methods. This paper presents a systematic methodology to evaluate the potential risks of unknown buffer over-read vulnerabilities. Specifically, we model the buffer over-read vulnerabilities and focus on the quantification of how much information can be potentially leaked. We perform risk assessment using the RUBiS benchmark which is an auction site prototype modeled after eBay.com. We evaluate the effectiveness and performance of a few mitigation techniques and conduct a quantitative risk measurement study. We find that even simple techniques can achieve significant reduction on information leakage against overread with reasonable performance penalty. We summarize our experience learned from the study, hoping to facilitate further studies on the over-read vulnerability.
منابع مشابه
Risk Assessment of Buffer “Heartbleed” Over-read Vulnerabilities (Practical Experience Report)
Buffer over-read vulnerabilities (e.g., Heartbleed) can lead to serious information leakage and monetary lost. Most of previous approaches focus on buffer overflow (i.e., overwrite), which are either infeasible (e.g., canary) or impractical (e.g., bounds checking) in dealing with over-read vulnerabilities. As an emerging type of vulnerability, people need in-depth understanding of buffer over-r...
متن کاملHeterogeneous Network Mining of the National Vulnerability Database
As the proliferation of on-line information storage and interaction continues, so does the continued threat to the security of users and their data. New vulnerabilities are found daily in various pieces of software, used by both users and providers of on-line services, not to mention the myriad of web applications that are not tracked by any central system. Previous research into trends in vuln...
متن کاملSilver Bullet Talks with Bart Miller
One of my favorite papers about Heartbleed was the one that you wrote with James Kupsch. Tell us about the methods you describe for software assurance and how they worked or didn’t work against the OpenSSL code base. Heartbleed was a wake-up call for a lot of people who were making assumptions about the security of open source software. It was also a wake-up call for people who were depending o...
متن کاملSecurity Assessment of Modern Data Aggregation Platforms in the Internet of Things
With the popularity of the Internet of Things on the rise, sensor networks have become essential parts of traditional Information and Communication Technology (ICT) infrastructures in a wide variety of applications. However, their increasing complexity, inter-connectivity, and pervasive implementation, exposes these infrastructures to a large variety of security threats. As a result, practical ...
متن کاملEmpirical Analysis of SSL/TLS Weaknesses in Real Websites: Who Cares?
As SSL/TLS has become the de facto standard Internet protocol for secure communication in recent years, its security issues have also been intensively studied. Even though several tools have been introduced to help administrators know which SSL/TLS vulnerabilities exist in their network hosts, it is still unclear whether the best security practices are effectively adopted to fix those vulnerabi...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2015