Risk Assessment of Buffer 'Heartbleed' Over-Read Vulnerabilities

Jun Wang, Mingyi Zhao, Qiang Zeng, Dinghao Wu, Peng Liu

Research output: Chapter in Book/Report/Conference proceedingConference contribution

13 Scopus citations

Abstract

Buffer over-read vulnerabilities (e.g., Heartbleed) can lead to serious information leakage and monetary lost. Most of previous approaches focus on buffer overflow (i.e., over-write), which are either infeasible (e.g., canary) or impractical (e.g., bounds checking) in dealing with over-read vulnerabilities. As an emerging type of vulnerability, people need in-depth understanding of buffer over-read: the vulnerability, the security risk and the defense methods. This paper presents a systematic methodology to evaluate the potential risks of unknown buffer over-read vulnerabilities. Specifically, we model the buffer over-read vulnerabilities and focus on the quantification of how much information can be potentially leaked. We perform risk assessment using the RUBiS benchmark which is an auction site prototype modeled after eBay.com. We evaluate the effectiveness and performance of a few mitigation techniques and conduct a quantitative risk measurement study. We find that even simple techniques can achieve significant reduction on information leakage against over-read with reasonable performance penalty. We summarize our experience learned from the study, hoping to facilitate further studies on the over-read vulnerability.

Original languageEnglish (US)
Title of host publicationProceedings - 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2015
PublisherIEEE Computer Society
Pages555-562
Number of pages8
ISBN (Electronic)9781479986293
DOIs
StatePublished - Sep 14 2015
Event45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2015 - Rio de Janeiro, Brazil
Duration: Jun 22 2015Jun 25 2015

Publication series

NameProceedings of the International Conference on Dependable Systems and Networks
Volume2015-September

Other

Other45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2015
CountryBrazil
CityRio de Janeiro
Period6/22/156/25/15

All Science Journal Classification (ASJC) codes

  • Software
  • Hardware and Architecture
  • Computer Networks and Communications

Fingerprint Dive into the research topics of 'Risk Assessment of Buffer 'Heartbleed' Over-Read Vulnerabilities'. Together they form a unique fingerprint.

Cite this