Heartbleed vs. Heartblead: Why IPS Pattern Matching Makes for Poor Security
Heartbleed vs. Heartblead
What difference does an “a” make? To our malleable, creative brains, a typo might not really change the meaning of a word or sentence too much. But to our trusty security systems that process packets at wire speed, pulling out patterns and payloads, it could make the difference between blocking malicious traffic and leaking sensitive data.
There’s a long-standing debate in security circles about the effectiveness of pattern matching signatures. Some security products continue to subsist on pattern-based signatures as the sole source of protection. This quite often lulls one into a false sense of security which, in many cases, is worse than no security at all.
Not Another Post About Heartbleed, Please!
Heartbleed does make for an interesting case study and, in this case, a perfect example of the ineffectiveness of pattern matching signatures to protect against real-world threats.
The day the OpenSSL Heartbleed vulnerability was publicly disclosed, ICS-CERT and the FBI published a list of recommended Snort signatures that could be used to prevent an exploit from plundering private data. There were a large number of signatures, in fact, and one might think that after the painstaking process of copying and pasting them into place, you could check the box for Heartbleed protection and go about your day.
The problem is that these signatures are more or less ineffective against any kind of “mutated exploit,” a variation of an attack that changes an “e” to an “a,” for example, and slides through completely undetected. Security and networking guru Robert Graham posted an excellent blog about how a slight tuning of his masscan tool was able to easily evade this kind of pattern-based detection by changing the timing of packets and the position of the payload.
An even simpler and more relevant evasion has to do with ports. The ICS-CERT signatures hard code a specific set of ports which, while common listeners for SSL connections, are by no means comprehensive. Take for example Plesk Control Panel, which runs on port 8443 and is used by tens if not hundreds of thousands of websites that employ virtual hosting for their server. All of these sites would still be quite vulnerable to a Heartbleed exploit despite having these intrusion prevention system (IPS) rules in place.
Granted, when these signatures were released, most security vendors were scrambling to add protection; as an emergency stopgap, sometimes some protection is better than none at all. Still, those who rely on this type of technology without updating to something more comprehensive would still be open to attack.
Increase Your IPS Protection
As Graham points out in his post, the solution is to use a security system with true protocol analysis decodes. Rather than looking for patterns, protocol analysis can decode the SSL packets and determine where the actual payloads are, regardless of how the packets are sent or received. This type of protection is much more robust and much less susceptible to evasion.
The lesson to remember is that while people are great at spotting patterns without the limitations of a fixed set of rules, IPS devices do far better when they aren’t solely reliant on pattern matching signatures and instead use technology like true protocol analysis decodes as well as heuristic signatures and other behavioral modeling.