Risk Assessment of Buffer "Heartbleed" Over-Read Vulnerabilities

Buffer over-read vulnerabilities (e.g., Heartbleed) can lead to serious information leakage and monetary lost. Most of previous approaches focus on buffer overflow (i.e., over-write), which are either infeasible (e.g., canary) or impractical (e.g., bounds checking) in dealing with over-read vulnerabilities. As an emerging type of vulnerability, people need in-depth understanding of buffer over-read: the vulnerability, the security risk and the defense methods. This paper presents a systematic methodology to evaluate the potential risks of unknown buffer over-read vulnerabilities. Specifically, we model the buffer over-read vulnerabilities and focus on the quantification of how much information can be potentially leaked. We perform risk assessment using the RUBiS benchmark which is an auction site prototype modeled after eBay.com. We evaluate the effectiveness and performance of a few mitigation techniques and conduct a quantitative risk measurement study. We find that even simple techniques can achieve significant reduction on information leakage against over-read with reasonable performance penalty. We summarize our experience learned from the study, hoping to facilitate further studies on the over-read vulnerability.

[1]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[2]  Emery D. Berger,et al.  DieHard: probabilistic memory safety for unsafe languages , 2006, PLDI '06.

[3]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, SIGP.

[4]  Jingling Xue,et al.  WPBOUND: Enforcing Spatial Memory Safety Efficiently at Runtime with Weakest Preconditions , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[5]  Steve Maguire,et al.  Writing Solid Code , 1993 .

[6]  Pasquale Malacaria,et al.  Quantifying information leaks in software , 2010, ACSAC '10.

[7]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[8]  Shouhuai Xu,et al.  A Method for Safekeeping Cryptographic Keys from Memory Disclosure Attacks , 2009, INTRUST.

[9]  Peng Liu,et al.  HeapTherapy: An Efficient End-to-End Solution against Heap Buffer Overflows , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[10]  Miguel Castro,et al.  Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors , 2009, USENIX Security Symposium.

[11]  Michael Tüxen,et al.  Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension , 2012, RFC.

[12]  Paul H. J. Kelly,et al.  Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs , 1997, AADEBUG.

[13]  David A. Wagner,et al.  A First Step Towards Automated Detection of Buffer Overrun Vulnerabilities , 2000, NDSS.

[14]  Peng Liu,et al.  Cruiser: concurrent heap buffer overflow monitoring using lock-free data structures , 2011, PLDI '11.

[15]  George C. Necula,et al.  CCured in the real world , 2003, PLDI '03.

[16]  Kevin Borders,et al.  Quantifying Information Leaks in Outbound Web Traffic , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[17]  Ken Frazer,et al.  Building secure software: how to avoid security problems the right way , 2002, SOEN.

[18]  Vern Paxson,et al.  The Matter of Heartbleed , 2014, Internet Measurement Conference.

[19]  Tal Garfinkel,et al.  Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation , 2005, USENIX Security Symposium.

[20]  Todd C. Miller,et al.  strlcpy and strlcat - Consistent, Safe, String Copy and Concatenation , 1999, USENIX Annual Technical Conference, FREENIX Track.

[21]  Michael Backes,et al.  Automatic Discovery and Quantification of Information Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.