posted by Richard Power
Heartbleed is a significant event along the cyber security timeline. Its consequences will be with us all for quite awhile. If you haven't already come to grips with this issue, you should do so urgently.
For some guidance go to http://heartbleed.com
To verify if a particular server is vulnerable, go to: http://filippo.io/Heartbleed/
For a command-line tool, go to: https://github.com/FiloSottile/Heartbleed
Here at CyLab, the story has provided us with an opportunity to reflect on some of our recent research and its relevancy to the problem at hand, e.g., --
Perspectives, TrustVisor and Flicker all evolved out of CyLab's work on Trustworthy Computing Platforms and Devices. And this continues to be one of CyLab's major research thrusts.
According to Vasudevan, "the IEE technologies and prototypes we have been developing (XMHF - TrustVisor, KISS, Minibox, etc.) lay a solid foundation to protect against Heartbleed-like attacks."
"But going from our prototypes to the real-world is a different kind of challenge. The software ecosystem out there today does not really consider security as a first-class citizen. Consequently, tweaking these components to adapt to our IEE design is non-trivial ... In the long term, developers of security-oriented/sensitive software would benefit from a simple and solid security framework that would allow them to leverage strong security properties, while letting them also implement the desired functionality. And our work with XMHF plus Trustvisor plus other hypapps (http://xmhf.org) is the right step in this direction."
"This bug is still underestimated," warns Yu.
He cites three reasons for his concern:
"Currently, we are putting a lot of care into HTTPS websites. But other protocols, e.g., FTPS (used in file transfer) server, can also be impacted by this bug.
"Not only servers, but also clients, e.g. smart phones and other devices, may suffer from this bug. And for certain devices, the problem can be even worse. For example, mobiles phones have long patch cycles. For the heartbleeding bug, the first patch of this bug came out in 20 minutes and web servers began the repair in the first day. But Android phones only get scanners, e.g., Bluebox Heartbleed Scanner or Heartbleed Detector to help users find out if their phone is vulnerable ... From our experience with past vulnerabilities, it would take tens of weeks until half of the mobile devices get patched. During this period, the devices are at risk. Other devices, which may use OpenSSL for establishing administration channels, also may suffer from long patch cycles. At CyLab, Zongwei Zhou, Miao Yu, Yoshiharu Imamoto, Amit Vasudevan, Virgil Gilgor and I have developed an isolated execution environment for the ARM mobile platform. It is quite similar to TrustVisor, but focuses on mobile system security, so that, e.g., you could run a banking client (or some other sensitive application) in an isolated execution environment, so that your code and data would still be secure in spite of this or other vulnerabilities present in Android.
"All three recent SSL bugs, i.e., IOS's goto fail bug, the GnuTLS bug and the Heartbleed bug are implementation-related rather than design related. The lesson is that design security doesn't mean implementation security. We do need runtime protection as a last line of defense."
See all CyLab Chronicles articles