The Matter of Heartbleed

Link: https://jhalderm.com/pub/papers/heartbleed-imc14.pdf

Summary:

This paper was more of a summary of knowledge on the heartbleed attack a vulnerability that was found by Google researcher Neel Mehta in March of 2014. Essentially the attack takes advantage of something known as a Heartbeat Extension which allows either end point of a TLS connection to detect whether its peer is still present. The heartbeat is essentially set from one peer to another, and on reciept of a heartbeat message the peer is supposed to respond back with a similar heartbeat message confirming it is still there. The attack took advantage of this and as a result this paper studied the immediate response and response in the weeks after this was disclosed to the world.

 

 

What I liked:

  1. The study didn't only look at who made initial responses to Heartbleed but also found that a surprisingly low number of sites (25%) ended up replacing certificates

  2. I really liked the paper's explanation of what heartbeat was, and its original purpose -- they did a good job explaining its use as a positive and then transitioning into how it could be exploited

  3. Good job explaining why it took so long to update servers, they specifically note that this isn't something that you can patch with a configuration file but instead need to recompile openssl with a flag which is harder to do

  4. They use a lot of different sources that kind of paint a picture of what was going on in the time, their use of many sources gives us a lot of data from different views

  5. I liked the use of visuals specifically the graphs that highlight the days of disclosure vs percentage of patches out on the internet

  6. I thought the inclusion of the notification study and follow up with network operators was probably the most helpful piece of the study.

 

 

What I did not like:

  1. I think the paper was more of a SOK then adding anything new to the community

  2. I think the way they estimate who was vulnerable to Heartbleed prior to disclosure needs more work. They currently estimate that 24%-55% of servers were vulnerable but don't go into huge specific how they got that number or explain why there's such a huge variation

  3. I would have wanted more specifics about sites and their industry to see which industries are the ones on top of security and which ones are lagging

  4. I don't like that they took a stance on whether or not this bug was exploited prior to disclosure -- I think that they don't really state what they are looking for so its kind of like chasing a ghost

  5. I think the methodology of how they scanned for which servers were vulnerable wasn't really the best given the high amount of false positives the method gives -- would a survey of operators been better?

 

 

Points for Discussion

  1. Why are bugs found at the same time. A private cyber firm found the heartbleed bug about the same time as Neel Mehta at google? Same thing happened at Intel? Is this because of leaks or because of coincidence.

  2. Was there a faster way to deliver patches to the general public

  3. Was there enough of a lead time on Heartbleed for major websites to be expected to have a valid fix.

  4. Were the sources the paper used accurate given that they came from so many different sources. As a result the data could have been measured differently

  5. Are there leaks of this in the snowden papers or did this catch the NSA by surprise as well?

 

 

New Ideas:

  1. Study why and how different the estimates were for servers affected by heartbleed. Dig into why there is such a big variation

  2. Look into creating a measure of how easy something is to exploit. Ie hacker vs nation state capabilities because the paper notes that the bug is easy to exploit, but easy is subjective

  3. Explore how responsible disclosure might have prevented more attacks especially on something as widespread as heartbleed.

  4. Explore how public knowledge sped or slowed down the patching of major websites

  5. Is there a way this patch could have been done without recompiling the entire server with a specific flag? This could have sped up patching