‘Heartbleed’ countermeasure conceived in UTD’s laboratories
Researchers at UTD have a solution, dubbed ‘Red Herring,’ that not only patches the issue, but can also detect and entrap attackers that might try to exploit the vulnerability to gain sensitive information.
The Heartbleed Bug
The Heartbleed Bug is a weakness in the popular OpenSSL cryptography software library, which implements the basic cryptographic functions to maintain data security during transmission.
“There is a misconception out there that it is a virus, but it is not a virus,” said Kevin Hamlen, team lead of Red Herring project. “It is a weakness in software products, and it mainly affects web servers or web clients, so client browsers.”
The vulnerability was present in popular websites like Google, Yahoo, Facebook, Dropbox and many more, as they used the exposed implementation of OpenSSL.
The bug resulted from incorrect implementation of the Heartbeat feature of OpenSSL. This feature, which was introduced two years ago, passes bogus information over the wire to keep the connection between server and client browser open.
The client browser usually initiates the Heartbeat request and sends mock data along with the size of the data to the server. The server, in return, replies back with the same mock data sent by the client.
However, an attacker can send a mock packet of data with the wrong data size. The incorrect implementation resulted in the server failing to verify if the packet size and the data size matched.
In the case of a mismatch, the server would send back what was originally transmitted and some additional information drawn from the address space of the application, which could potentially be sensitive information like passwords, social security numbers, or worse, private encryption keys.
“The attacker can’t precisely control which information he gets on any particular request,” Hamlen said. “But the attacker can wallpaper you with many, many requests over a long period of time and probably get any information in the address space that is available.”
Heartbleed is a serious concern because attacks leave no trace in server logs, so there is no way of knowing if the bug was exploited.
The Red Herring system, that Hamlen and his research student Frederico Araujo developed, patches the vulnerability and helps trap the attacker.
Hamlen and Araujo have been working on Red Herring for the better part of a year and have submitted a research paper on it.
“I think it started when we asked ourselves if we could build a system that could be patched, but in a way that it wouldn’t divulge that it has been patched to the attackers,” Araujo said.
OpenSSL released a fix when it released information about the bug. The patch prevents attackers from accessing any information from the servers using the vulnerable OpenSSL product, and responds with a ‘Request Denied’ message when an attacker sends a malicious data packet.
Thus, an attacker has a very easy task of identifying which servers are vulnerable and which are not, as the non-vulnerable systems will respond with the error message and the vulnerable systems will respond with information.
The Red Herring system uses the concept of traditional honeypots — a trap set to detect and counterattack hacks on systems — and improves on it by creating a web server on the system that has the sensitive information and sends out false information when a hacker sends a malicious Heartbeat request.
“Red Herring is a system in which we patch the vulnerability, except that the patch does not inform the attacker that his request has failed,” Hamlen said. “In fact, it sends back the attacker something that looks quite a bit like a successful exploit of the vulnerability, except all the information that he gets is actually fake.”
The beauty of the system is that it does not just create a decoy and give false information, it can also help catch the attacker as an analyst tries to track the attacker and the information the attacker is after.
UTD’s weakness to Heartbleed
Few systems and servers at UTD were identified for using the vulnerable version of OpenSSL.
“The highest risk system that was involved for us was when users connect to our network remotely using VPN (Virtual Private Network) device,” said Chief Information Security Officer Nate Howe.
A VPN device enables users to connect to a system’s private resources from an external public network.
The VPN device used by UTD implements OpenSSL and the Information Security and the Information Resources group monitored the situation after identifying the risk and were able to do an emergency patch.
There was a one-day period between the time the Information Security team started considering the risk to the VPN to the time the patch was made available.
“For about one to two days, (Heartbleed) was wildly discussed in the news and more people in the world were trying to exploit it,” Howe said. “Theoretically, those vulnerabilities were present for a long time even though people didn’t know about it yet.”
The Information Security team alerted the users of the VPN at the university of the possibility of the risk.
The Information Security team sent a university-wide email and recommended that users change not only their NetID passwords, but also their banking and personal email passwords to protect themselves from the bug.
Howe said they were not going to implement the Red Herring system.
“The (Red Herring) approach is especially useful if you have the intention to counterattack an attacker,” Howe said. “There are some organizations where that is very appropriate, but it is not going to be typical of our approach. Our approach is going to be identify risk and to mitigate that risk or eliminate it when possible.”