Risk Assessment of Buffer "Heartbleed" Over-Read Vulnerabilities

نویسندگان

  • Jun Wang
  • Mingyi Zhao
  • Qiang Zeng
  • Dinghao Wu
  • Peng Liu
چکیده

Buffer over-read vulnerabilities (e.g., Heartbleed) can lead to serious information leakage and monetary lost. Most of previous approaches focus on buffer overflow (i.e., overwrite), which are either infeasible (e.g., canary) or impractical (e.g., bounds checking) in dealing with over-read vulnerabilities. As an emerging type of vulnerability, people need in-depth understanding of buffer over-read: the vulnerability, the security risk and the defense methods. This paper presents a systematic methodology to evaluate the potential risks of unknown buffer over-read vulnerabilities. Specifically, we model the buffer over-read vulnerabilities and focus on the quantification of how much information can be potentially leaked. We perform risk assessment using the RUBiS benchmark which is an auction site prototype modeled after eBay.com. We evaluate the effectiveness and performance of a few mitigation techniques and conduct a quantitative risk measurement study. We find that even simple techniques can achieve significant reduction on information leakage against overread with reasonable performance penalty. We summarize our experience learned from the study, hoping to facilitate further studies on the over-read vulnerability.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Risk Assessment of Buffer “Heartbleed” Over-read Vulnerabilities (Practical Experience Report)

Buffer over-read vulnerabilities (e.g., Heartbleed) can lead to serious information leakage and monetary lost. Most of previous approaches focus on buffer overflow (i.e., overwrite), which are either infeasible (e.g., canary) or impractical (e.g., bounds checking) in dealing with over-read vulnerabilities. As an emerging type of vulnerability, people need in-depth understanding of buffer over-r...

متن کامل

Heterogeneous Network Mining of the National Vulnerability Database

As the proliferation of on-line information storage and interaction continues, so does the continued threat to the security of users and their data. New vulnerabilities are found daily in various pieces of software, used by both users and providers of on-line services, not to mention the myriad of web applications that are not tracked by any central system. Previous research into trends in vuln...

متن کامل

Silver Bullet Talks with Bart Miller

One of my favorite papers about Heartbleed was the one that you wrote with James Kupsch. Tell us about the methods you describe for software assurance and how they worked or didn’t work against the OpenSSL code base. Heartbleed was a wake-up call for a lot of people who were making assumptions about the security of open source software. It was also a wake-up call for people who were depending o...

متن کامل

Security Assessment of Modern Data Aggregation Platforms in the Internet of Things

With the popularity of the Internet of Things on the rise, sensor networks have become essential parts of traditional Information and Communication Technology (ICT) infrastructures in a wide variety of applications. However, their increasing complexity, inter-connectivity, and pervasive implementation, exposes these infrastructures to a large variety of security threats. As a result, practical ...

متن کامل

Empirical Analysis of SSL/TLS Weaknesses in Real Websites: Who Cares?

As SSL/TLS has become the de facto standard Internet protocol for secure communication in recent years, its security issues have also been intensively studied. Even though several tools have been introduced to help administrators know which SSL/TLS vulnerabilities exist in their network hosts, it is still unclear whether the best security practices are effectively adopted to fix those vulnerabi...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2015