Information Trust Institute block of abstract images
Information Trust Institute block of abstract images

Bailey wins ACM Best Paper Award for Heartbleed research

Internet security forums were ablaze April 1, 2014, as chatter started appearing about a potential bug in the security systems of many of the world’s top websites.

While high-level software companies like Google were already aware earlier and discretely patched up their servers, news was slow to trickle down to the greater web and gradually the rest of the world realized the severity of the vulnerability in OpenSSL, the set of security standards that virtually all web services rely on to protect information.

Michael Donald Bailey
Michael Donald Bailey
It wasn’t long before websites discovered catastrophic leaks of credit card numbers, medical information, and more. On April 7, the OpenSSL project announced Heartbleed to the world and a surge of websites scrambled to shore up their defenses before hackers could grab all of their private information.

The rest of the reaction to Heartbleed was captured in “The Matter of Heartbleed,” a paper co-written by ECE Associate Professor and ITI researcher Michael Donald Bailey, which won the best paper award at the Association for Computing Machinery’s (ACM) Internet Measurement Conference.

Bailey’s team of researchers from Illinois, Berkeley, and Michigan had a birds-eye view of the exploitation of this bug unfolding across the Internet. After first witnessing the news filtering out to the public that Heartbleed rendered as much as half of the web’s HTTPS-encrypted websites vulnerable, he and his colleagues used Internet scanning tools to see the world react. His team used a utility that scanned nearly the entirety of the Internet in less than four hours to see how quickly websites and devices patched the vulnerability. Using a technique called “network telescopes,” the team could observe who else was scanning the Internet as well.

Some of the scanning was from fellow researchers, prodding servers to see the extent of the Internet’s vulnerability. Others, Bailey noted, were testing the web servers and “weren’t just there to scan”: hackers. The network telescope that Bailey uses to track hackers looking for vulnerable hosts, started registering significant amounts of hits as a free-for-all swept the web trying to steal as much data as possible before the information stopgaps were plugged.

Within 48 hours of OpenSSL announcing the vulnerability, all 500 of the Internet’s most-visited websites, or the Alexa top 500, had patched their systems to eliminate the bug. Unfortunately, according to the paper, Bailey’s team recorded probing activity from users he could tell were trying to steal data within the first 22 hours.

The websites are still trying to quantify exactly how much data was stolen in many cases, though investigators already confirmed several instances of losses of medical records, credit card information, and social security and tax data. The logo that security firm Codenomicon designed to represent Heartbleed.

Bailey explained that, though the amount of data lost was incredible, the actual vulnerability was deviously simple: when a user visits a website OpenSSL may make use of a request-response protocol called Heartbeat, to test if it should keep a connection alive. In the protocol, a client sends some data to the server and the server echoes that data back to the client to indicate it is still alive.

Where the bug comes in: if a client sends a small amount of data to be echoed, but asks for a large amount of data for the response, servers using the software will automatically fill in the additional data with whatever else they have on memory. It’s a bit like finding a sleepy cashier at a convenience store. You ask him whether he’s still awake and can give you your change, and he nods his head, his eyelids drooping. You casually ask for twenty dollars when he was supposed to hand you a penny, and, half-asleep, he hands it over. By the time he’s come to his senses, you’re long gone.

“All you have to do is send one byte and then a request for the server to send 10,000 back,” Bailey said. “The server could then send you security keys, perhaps patient medical information, bitcoins, even root passwords which you can use to then access the server’s hard disk and steal everything else it has stored on there. Once you have root access codes from the server’s operating memory, you can keep accessing deeper layers of security.”

The logo that security firm Codenomicon designed to represent Heartbleed.
The logo that security firm Codenomicon designed to represent Heartbleed.
Bailey’s paper also noted that the data theft wasn’t just restricted to web site servers. Servers running e-mail services, video streaming, and any other kind of data transmitted over the Internet, could be accessed and exploited just as easily as websites.

His paper also detailed the web community’s reconstruction efforts to prevent their data from being exploited again. OpenSSL recommended that websites patch their security infrastructure and renew their certificates to prevent themselves from being exploited again the same way.

Unfortunately, though websites patched their servers, Bailey’s team found that many of them didn’t actually change root passwords or security keys. This means that even if hackers can’t request the data the same way they did before, they could still have the root access they stole earlier, and could still access many of the sites and services that are supposedly patched up now.

Though some of what it revealed is alarming, much of the paper’s research uncovered fast responses to the bug and revealed an Internet community that is very agile when responding to threats and responsive when alerting hosts of the dangers. Within 48 hours, all of the Alexa top 100 domains had patched their security software, and by June 4, almost a month after the disclosure, only 3.1 percent of the top million domains in the world were still vulnerable, according to sampling by Bailey’s team.

Bailey is thrilled to have won the award itself, and described the paper as a dream to work on.

“Usually in empirical work, the research aspect is pretty ugly because things don’t turn out the way you expect, and that’s how it should be,” he said. “It was just an absolute joy to write this paper and it was a perfect example of the right team of people fortuitously coming together, being able to test the vulnerability in a way that didn’t challenge us ethically, and everything just coming together the right way.”