Computer Scientists Win Best Paper Award at 2014 ACM Internet Measurement Conference

The research team performed a comprehensive, measurement-based analysis of the impact of the recent Heartbleed vulnerability.

Heartbleed team Enlarge
L-R: Zakir Durumeric, Prof. Halderman, and David Adrian

A team of computer scientists including Prof. J. Alex Halderman, CSE graduate student and lead co-author Zakir Durumeric, and CSE graduate students James Kasten and David Adrian, has won a Best Paper Award at the 2014 ACM Internet Measurement Conference, which took place November 5-7 in Vancouver, BC, Canada.

The paper, “The Matter of Heartbleed,” performs a comprehensive, measurement-based analysis of the impact of the recent Heartbleed vulnerability, which was one of the most consequential security lapses of the modern commercial Internet, and the server operator community’s response to it. The paper’s authors also include lead co-author Frank Li, Michael Bailey (who was on the faculty at Michigan at the time of the writing), Nicholas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer, and Vern Paxson.

In March 2014, Google researchers found a catastrophic vulnerability in OpenSSL, the cryptographic library used to secure connections in popular server products. While OpenSSL has had several notable security issues during its 16 year history, this flaw – the Heartbleed vulnerability, so named because it is related to OpenSSL’s TLS Heartbeat Extension – was one of the most impactful. Heartbleed allowed attackers to read sensitive memory from vulnerable servers, potentially including cryptographic keys, login credentials, and other private data. Exacerbating its severity, the bug was simple to understand and exploit. Initially kept private by Google as part of responsible disclosure efforts, the vulnerability was made public by OpenSSL on April 7, 2014.

The authors used the internet scanning tool ZMap – developed at Michigan by Durumeric and Halderman – to track the impact of Heartbleed, performing regular vulnerability scans against the Alexa Top 1 Million domains and against 1% samples of the public, non-reserved IPv4 address space. With ZMap, the researchers were able to gauge not only the extent of the vulnerability (an estimated 24-55% of HTTPS websites were vulnerable), but also the community’s response in applying patches and in generating new cryptographic keys and revoking compromised certificates. The researchers were able to significantly help to mitigate the exposure caused by the vulnerability, as described in the article, Heartbleed: Behind the Scenes at CSE. The vulnerability notifications sent to operators of hundreds of thousands of servers and increased the rate of patching in this population by almost 50%.

In the paper, the researchers use their results to highlight weaknesses in the security ecosystem, to suggest improved techniques for recovery, and to identify important areas for future research.

Prof. Halderman is a noted computer security expert whose research places an emphasis on problems that broadly impact society and public policy. His interests include software security, network security, data privacy, anonymity, electronic voting, censorship resistance, digital rights management, computer forensics, ethics, and cybercrime, as well as the interaction of technology with law, governmental regulation, and international affairs. He is the director of the Center for Computer Security and Society.