A co-design adaptive defense scheme with bounded security damages against Heartbleed-like attacks

Zhisheng Hu, Ping Chen, Minghui Zhu, Peng Liu

Research output: Contribution to journalArticlepeer-review

Abstract

This paper proposes a co-design adaptive defense scheme against a class of zero-day buffer over-read attacks that follow unknown stationary probability distributions. In particular, the co-design scheme integrates an improved UCB algorithm and a customized server. The improved UCB algorithm adaptively allocates guard pages on a heap based on induced damage of the guard pages so as to minimize the accumulated damage over time. The security damages of the improved UCB algorithm are proven to be always below a temporal bound without knowing which attack is launched when the buffer allocation follows a certain stationary probability distribution. Then an efficient server modification is introduced to randomly allocate buffers. Moreover, the damages of our scheme asymptotically converge to those of the optimal defense policy where the launched attacks and their distributions are known in advance. Further, the co-design scheme is evaluated with several real-world Heartbleed attacks. The experiment results demonstrate the validity of the upper bound and show that the adaptive defense is effective against all the attacks of interest with runtime overheads as low as 5%.

Original languageEnglish (US)
JournalIEEE Transactions on Information Forensics and Security
DOIs
StateAccepted/In press - 2021

All Science Journal Classification (ASJC) codes

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'A co-design adaptive defense scheme with bounded security damages against Heartbleed-like attacks'. Together they form a unique fingerprint.

Cite this