Paper Info
Title
Risk Assessment of Buffer "Heartbleed" Over-Read Vulnerabilities
Abstract
Buffer over-read vulnerabilities (e.g., Heartbleed) can lead to serious information leakage and monetary lost. Most of previous approaches focus on buffer overflow (i.e., over-write), which are either infeasible (e.g., canary) or impractical (e.g., bounds checking) in dealing with over-read vulnerabilities. As an emerging type of vulnerability, people need in-depth understanding of buffer over-read: the vulnerability, the security risk and the defense methods. This paper presents a systematic methodology to evaluate the potential risks of unknown buffer over-read vulnerabilities. Specifically, we model the buffer over-read vulnerabilities and focus on the quantification of how much information can be potentially leaked. We perform risk assessment using the RUBiS benchmark which is an auction site prototype modeled after eBay.com. We evaluate the effectiveness and performance of a few mitigation techniques and conduct a quantitative risk measurement study. We find that even simple techniques can achieve significant reduction on information leakage against over-read with reasonable performance penalty. We summarize our experience learned from the study, hoping to facilitate further studies on the over-read vulnerability.
Year
DOI
Venue
2015
10.1109/DSN.2015.59
The International Conference on Dependable Systems and Networks
Keywords
Field
DocType
risk assessment,buffer over-read vulnerabilities,Heartbleed,information leakage,monetary lost,security risk,defense method,vulnerability method
Heartbleed,Information leakage,Computer science,Computer security,Risk assessment,Risk management,Vulnerability management,Bounds checking,Buffer overflow,Vulnerability
Conference
ISSN
Citations 
PageRank 
1530-0889
3
0.38
References 
Authors
17
5
Name
Order
Citations
PageRank
Jun Wang1352.65
Mingyi Zhao2624.93
Qiang Zeng3327.22
Dinghao Wu472654.89
P. Liu537841.58