A co-design adaptive defense scheme with bounded security damages against Heartbleed-like attacks

This paper proposes a co-design adaptive defense scheme against a class of zero-day buffer over-read attacks that follow unknown stationary probability distributions. In particular, the co-design scheme integrates an improved UCB algorithm and a customized server. The improved UCB algorithm adaptively allocates guard pages on a heap based on induced damage of the guard pages so as to minimize the accumulated damage over time. The security damages of the improved UCB algorithm are proven to be always below a temporal bound without knowing which attack is launched when the buffer allocation follows a certain stationary probability distribution. Then an efficient server modification is introduced to randomly allocate buffers. Moreover, the damages of our scheme asymptotically converge to those of the optimal defense policy where the launched attacks and their distributions are known in advance. Further, the co-design scheme is evaluated with several real-world Heartbleed attacks. The experiment results demonstrate the validity of the upper bound and show that the adaptive defense is effective against all the attacks of interest with runtime overheads as low as 5%.