Analysis of OpenSSL Heartbleed vulnerability for embedded systems

Ghafoor, Imran; Jattala, Imran; Durrani, Shakeel; Tahir, Ch Muhammad

doi:10.1109/inmic.2014.7097358

Cited by 14 publications

(3 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, while IoT brings technological growth, it unintendedly exposes missioncritical systems to novel vulnerabilities [4]- [6] number of IoT cyberattacks increased by 300% in 2019 [7], while the discovered software vulnerabilities rose from 1.6k to 100k [8]. The consequence can be detrimental, as indicated in [9], the Heartbleed bug [10] can lead to a leakage of up to 64K memory, threatening not only personal but also organizational information security. Besides, Shellshock is a bash commandline interface shell bug, but it has existed for 30 years and remains a threat to enterprises today [11], [12].…”

Section: Introductionmentioning

confidence: 99%

CFG2VEC: Hierarchical Graph Neural Network for Cross-Architectural Software Reverse Engineering

Yu¹,

Gizachew²,

Wang³

et al. 2023

Preprint

View full text Add to dashboard Cite

Mission-critical embedded software is critical to our society's infrastructure but can be subject to new security vulnerabilities as technology advances. When security issues arise, Reverse Engineers (REs) use Software Reverse Engineering (SRE) tools to analyze vulnerable binaries. However, existing tools have limited support, and REs undergo a time-consuming, costly, and error-prone process that requires experience and expertise to understand the behaviors of software and vulnerabilities. To improve these tools, we propose cfg2vec, a Hierarchical Graph Neural Network (GNN) based approach. To represent binary, we propose a novel Graph-of-Graph (GoG) representation, combining the information of control-flow and function-call graphs. Our cfg2vec learns how to represent each binary function compiled from various CPU architectures, utilizing hierarchical GNN and the siamese network-based supervised learning architecture. We evaluate cfg2vec's capability of predicting function names from stripped binaries. Our results show that cfg2vec outperforms the state-of-the-art by 24.54% in predicting function names and can even achieve 51.84% better given more training data. Additionally, cfg2vec consistently outperforms the state-of-the-art for all CPU architectures, while the baseline requires multiple training to achieve similar performance. More importantly, our results demonstrate that our cfg2vec could tackle binaries built from unseen CPU architectures, thus indicating that our approach can generalize the learned knowledge. Lastly, we demonstrate its practicability by implementing it as a Ghidra plugin used during resolving DARPA Assured MicroPatching (AMP) challenges.

show abstract

Section: Introductionmentioning

confidence: 99%

CFG2VEC: Hierarchical Graph Neural Network for Cross-Architectural Software Reverse Engineering

Yu¹,

Gizachew²,

Wang³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…A vulnerability located within open source software may be of particular value as it may allow exploitation on multiple kinds of systems. The OpenSSL 'Heartbleed' exploit (CVE-2014-0160) [15] and Linux Kernel Copy-On-Write, known as 'Dirty COW', (CVE-2016-5195) [16] are well known and heavily exploited examples. Separately, attacks against communication links and data in transit have been demonstrated, which may cause delay in communication as well as compromise of privacy, or denial-of-service entirely [17], [18], [19].…”

Section: Introductionmentioning

confidence: 99%

Enhancing Security and Privacy of Next-Generation Edge Computing Technologies

Hagan

Siddiqui

Sezer

2019

2019 17th International Conference on Privacy, Security and Trust (PST)

View full text Add to dashboard Cite

The advent of high performance fog and edge computing and high bandwidth connectivity has brought about changes to Internet-of-Things (IoT) service architectures, allowing for greater quantities of high quality information to be extracted from their environments to be processed. However, recently introduced international regulations, along with heightened awareness among consumers, have strengthened requirements to ensure data security, with significant financial and reputational penalties for organisations who fail to protect customers' data. This paper proposes the leveraging of fog and edge computing to facilitate processing of confidential user data, to reduce the quantity and availability of raw confidential data at various levels of the IoT architecture. This ultimately reduces attack surface area, however it also increases efficiency of the architecture by distributing processing amongst nodes and transmitting only processed data. However, such an approach is vulnerable to device level attacks. To approach this issue, a proposed System Security Manager is used to continuously monitor system resources and ensure confidential data is confined only to parts of the device that require it. In event of an attack, critical data can be isolated and the system informed, to prevent data confidentiality breach.

show abstract

“…However, protecting the smart grid only at the transport layer leaves the network and its links open to cyber security attacks such as DoS, which can produce an eavesdropping of network management messages and ban the users from accessing the service. This fact is not aligned with the high reliability feature that is required in the smart grid [33]. For this reason, the smart grid really urges multilevel security, even above the transport layer [1,2].…”

mentioning

confidence: 99%

Prototyping a Software Defined Utility

et al. 2017

View full text Add to dashboard Cite

Abstract:The smart grid can be seen as a hybrid system composed by many systems. From a large scale point of view, it combines the electric power system itself and a heterogeneous information and communication technology (ICT) infrastructure. Additionally, these systems are composed by many building blocks that are designed and managed as separated systems which are hard to fully integrate between each other. Relying on the experiences arisen and the knowledge gathered from the partners during the development of the FP7 European projects INTEGRIS (intelligent electrical grid sensor communications) and FINESCE (future internet smart utility services), this paper presents the software defined utility (SDU) concept for the management of the smart grid and its security, which advocates for the migration of the utility infrastructure to software systems instead of relying on complex and rigid hardware based systems. Following this approach, SDU proposes the evolution of power systems' ICT and the usage of programmable commodity hardware, low-cost sensors, and reliable high-speed IP-based communications underneath. More concretely, this paper proposes some building blocks for the deployment of the SDU (flexible data management infrastructure, context-aware security and web of things interface) and evaluates their functionalities and benefits for the smart grids of the future.

show abstract

Analysis of OpenSSL Heartbleed vulnerability for embedded systems

Cited by 14 publications

References 17 publications

CFG2VEC: Hierarchical Graph Neural Network for Cross-Architectural Software Reverse Engineering

CFG2VEC: Hierarchical Graph Neural Network for Cross-Architectural Software Reverse Engineering

Enhancing Security and Privacy of Next-Generation Edge Computing Technologies

Prototyping a Software Defined Utility

Contact Info

Product

Resources

About