This paper proposes a co-design adaptive defense scheme against a class of zero-day buffer over-read attacks that follow unknown stationary probability distributions. In particular, the co-design scheme integrates an improved UCB algorithm and a customized server. The improved UCB algorithm adaptively allocates guard pages on a heap based on induced damage of the guard pages so as to minimize the accumulated damage over time. The security damages of the improved UCB algorithm are proven to be always below a temporal bound without knowing which attack is launched when the buffer allocation follows a certain stationary probability distribution. Then an efficient server modification is introduced to randomly allocate buffers. Moreover, the damages of our scheme asymptotically converge to those of the optimal defense policy where the launched attacks and their distributions are known in advance. Further, the co-design scheme is evaluated with several real-world Heartbleed attacks. The experiment results demonstrate the validity of the upper bound and show that the adaptive defense is effective against all the attacks of interest with runtime overheads as low as 5%.

中文翻译：

---

一种针对类似 Heartbleed 的攻击具有有限安全损害的协同设计自适应防御方案


本文提出了一种针对遵循未知平稳概率分布的一类零日缓冲区过度读取攻击的协同设计自适应防御方案。特别是，协同设计方案集成了改进的UCB算法和定制的服务器。改进的UCB算法根据保护页的诱导损坏自适应地在堆上分配保护页，从而最小化随着时间的推移累积的损坏。改进的UCB算法被证明，当缓冲区分配遵循一定的平稳概率分布时，在不知道发起哪种攻击的情况下，改进的UCB算法的安全损害总是低于时间界限。然后引入有效的服务器修改来随机分配缓冲区。此外，我们的方案的损害渐近收敛于最优防御策略的损害，其中所发起的攻击及其分布是预先已知的。此外，还通过几次现实世界的 Heartbleed 攻击对协同设计方案进行了评估。实验结果证明了上限的有效性，并表明自适应防御对于所有感兴趣的攻击都是有效的，运行时开销低至 5%。