TY - GEN
T1 - Risk Assessment of Buffer 'Heartbleed' Over-Read Vulnerabilities
AU - Wang, Jun
AU - Zhao, Mingyi
AU - Zeng, Qiang
AU - Wu, Dinghao
AU - Liu, Peng
PY - 2015/9/14
Y1 - 2015/9/14
N2 - Buffer over-read vulnerabilities (e.g., Heartbleed) can lead to serious information leakage and monetary lost. Most of previous approaches focus on buffer overflow (i.e., over-write), which are either infeasible (e.g., canary) or impractical (e.g., bounds checking) in dealing with over-read vulnerabilities. As an emerging type of vulnerability, people need in-depth understanding of buffer over-read: the vulnerability, the security risk and the defense methods. This paper presents a systematic methodology to evaluate the potential risks of unknown buffer over-read vulnerabilities. Specifically, we model the buffer over-read vulnerabilities and focus on the quantification of how much information can be potentially leaked. We perform risk assessment using the RUBiS benchmark which is an auction site prototype modeled after eBay.com. We evaluate the effectiveness and performance of a few mitigation techniques and conduct a quantitative risk measurement study. We find that even simple techniques can achieve significant reduction on information leakage against over-read with reasonable performance penalty. We summarize our experience learned from the study, hoping to facilitate further studies on the over-read vulnerability.
AB - Buffer over-read vulnerabilities (e.g., Heartbleed) can lead to serious information leakage and monetary lost. Most of previous approaches focus on buffer overflow (i.e., over-write), which are either infeasible (e.g., canary) or impractical (e.g., bounds checking) in dealing with over-read vulnerabilities. As an emerging type of vulnerability, people need in-depth understanding of buffer over-read: the vulnerability, the security risk and the defense methods. This paper presents a systematic methodology to evaluate the potential risks of unknown buffer over-read vulnerabilities. Specifically, we model the buffer over-read vulnerabilities and focus on the quantification of how much information can be potentially leaked. We perform risk assessment using the RUBiS benchmark which is an auction site prototype modeled after eBay.com. We evaluate the effectiveness and performance of a few mitigation techniques and conduct a quantitative risk measurement study. We find that even simple techniques can achieve significant reduction on information leakage against over-read with reasonable performance penalty. We summarize our experience learned from the study, hoping to facilitate further studies on the over-read vulnerability.
UR - http://www.scopus.com/inward/record.url?scp=84950138987&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84950138987&partnerID=8YFLogxK
U2 - 10.1109/DSN.2015.59
DO - 10.1109/DSN.2015.59
M3 - Conference contribution
AN - SCOPUS:84950138987
T3 - Proceedings of the International Conference on Dependable Systems and Networks
SP - 555
EP - 562
BT - Proceedings - 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2015
PB - IEEE Computer Society
T2 - 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2015
Y2 - 22 June 2015 through 25 June 2015
ER -