HEARTBLEED: Technical Description and Fixes

Slides:



Advertisements
Similar presentations
Secure Socket Layer.
Advertisements

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Security Through Encryption. Different ways to achieve security of communication data Keep things under lock and key – Physical Encryption Through password.
CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.
Electronic Transaction Security (E-Commerce)
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Process-to-Process Delivery:
Serge Borso The Heartbleed Bug Serge Borso
What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Zakir Durumeric, James Kasten,David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicholas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer,
Security. Security Flaws Errors that can be exploited by attackers Constantly exploited.
Presented by Teererai Marange. Background Open SSL Hearbeat extension Heartbleed vulnerability Description of work Methodology Summary of results Vulnerable.
TCP/IP (Transmission Control Protocol / Internet Protocol)
P.O.P. A presentation brought to you by Thomas. Topics Introduction General Information Area of use Functionality The alternative way POP3 vs. IMAP Conclusion.
CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.
SSH/SSL Attacks not on tests, just for fun. SSH/SSL Should Be Secure Cryptographic operations are secure SSL uses certificates to authenticate servers.
17- 1 Last time ● Internet Application Security and Privacy ● Link-layer security: WEP, WPA, WPA2 ● Network-layer security: VPN, IPSec.
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
Securing Information Systems
TOPIC: HTTPS (Security protocol)
Cookies Tutorial Cavisson Systems Inc..
Data Virtualization Tutorial… SSL with CIS Web Data Sources
Security of Digital Signatures
Cryptography: an overview
Instructor Materials Chapter 5 Providing Network Services
NFD Tunnel Authentication
Common Methods Used to Commit Computer Crimes
Cryptography and Network Security
IEEE CyberTrust workshop
Ways to protect yourself against hackers
Chapter 18 IP Security  IP Security (IPSec)
Patient access Forgotten password
CSCE 715: Network Systems Security
Cryptography and Network Security Chapter 16
Understand the OSI Model Part 2
Virtual Private Networks (VPN)
Understand Networking Services
Understanding the OSI Reference Model
File Transfer and access
Security of a Local Area Network
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
CSE 4095 Transport Layer Security TLS, Part II
Firewall Exercise.
CSE 4095 Transport Layer Security TLS
Cryptography and Network Security
Topic 5: Communication and the Internet
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
Process-to-Process Delivery:
Light-weight Contexts: An OS Abstraction for Safety and Performance
The Secure Sockets Layer (SSL) Protocol
Cryptography: an overview
Unit# 5: Internet and Worldwide Web
FTP AND COMMAND PROCESSING IN FTP
Transport Layer Security (TLS)
An Introduction to Internetworking
Process-to-Process Delivery: UDP, TCP
Slides Credit: Sogand Sadrhaghighi
Computer Security Heartbleed Bug Tutorial on Creating Certificates SSH
Cryptography and Network Security
Integrated Security System
NFD Tunnel Authentication
Virtual Private Network
The Heartbleed Bug and Attack
Presentation transcript:

HEARTBLEED: Technical Description and Fixes - Syed Shamsudheen

HEARTBEAT

HeartBeat Extension to TLS - keep-alive – Similar to Ping Alternate for costly process (continuous data transfer) to determine whether the peer is alive or not. For every Request message send by client, Server has to answer that is send reply to client immediately. Implemented on 2012 by RFC 6520 [11]

HeartBeat HeartbeatRequest message and HeartbeatResponse message. HeartbeatRequest message from client can arrive almost at any time during the lifetime of a connection. Not more than one HeartbeatRequest message in flight at a time. No response within a particular amount time – TimeOut! – TLS ->Terminate Connection – DTLS -> Retransmit HeartbeatRequest message. [1]. Acunetix (2017, March 22). TLS/SSL Explained – Examples of a TLS Vulnerability and Attack, Final Part. Retrieved May 09, 2017, from https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/ src: [1]

HEARTBLEED

HeartBleed Found by Neel Mehta, Google computer security employee, on 21, March 2014   ‘HeartBleed’ = ‘Heart’ (vulnerability in HeartBeat protocol) + ‘Bleed’ (data leakage). Happens due to improper input validation of HeartbeatRequest message.

HeartBleed [2]. Heartbleed. (2017, April 14). In Wikipedia. Retrieved from https://en.wikipedia.org/w/index.php?title=Heartbleed&oldid=775427692 src: [2] Not everytime sensitive information will be received as the location of the data on the server side stored will be random.

TECHNICAL DETAIL

OPENSSL OpenSSL is an open source written in C language which is used for SSL/TLS protocols with HeartBeat extension. It was initiated on 1998, as of 2014, two third of the sites were using OpenSSL.

HeartBeatMessage in OPENSSL src: [3] [3]. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Paxson, V. (2014). The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 475–488). New York, NY, USA: ACM. https://doi.org/10.1145/2663716.2663755 [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from https://www.theregister.co.uk/2014/04/09/heartbleed_explained/ src: [4]

Processing HeartBeatRequest Message src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from https://www.theregister.co.uk/2014/04/09/heartbleed_explained/

Processing HeartBeatRequest Message src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from https://www.theregister.co.uk/2014/04/09/heartbleed_explained/

Processing HeartBeatRequest Message src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from https://www.theregister.co.uk/2014/04/09/heartbleed_explained/

Processing HeartBeatRequest Message src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from https://www.theregister.co.uk/2014/04/09/heartbleed_explained/

HeartBeatResponse Message src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from https://www.theregister.co.uk/2014/04/09/heartbleed_explained/

HeartBeatResponse Message src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from https://www.theregister.co.uk/2014/04/09/heartbleed_explained/

HeartBeatResponse Message src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from https://www.theregister.co.uk/2014/04/09/heartbleed_explained/

HeartBeatResponse Message src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from https://www.theregister.co.uk/2014/04/09/heartbleed_explained/

In Memory Buffer UnderFlow src: [5] [5]. A technical view of theOpenSSL ‘Heartbleed’ vulnerability. (n.d.). Retrieved May 8, 2017, from https://www.ibm.com/developerworks/community/files/basic/anonymous/api/library/38218957-7195-4fe9-812a-10b7869e4a87/document/ab12b05b-9f07-4146-8514-18e22bd5408c/media src: [5]

IMPACT

Impact Clients sensitive information - passwords, private communication messages, financial details, anything that is worth protecting. Servers sensitive information - session ID, different tokens, Secret keys.  Mail servers, firewalls, VPN, Android, TOR, operating systems (like Debian Wheezy, Ubuntu 12.04.4 LTS and more) that shipped potential vulnerable OpenSSL [3]. [3]. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Paxson, V. (2014). The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 475–488). New York, NY, USA: ACM. https://doi.org/10.1145/2663716.2663755

HeartBleed on YAHOO! src: [6] [6]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from https://www.theregister.co.uk/2014/04/09/heartbleed_explained/ src: [6]

HeartBleed on Websites! [7]. Rubenking, B. N. J., April 10, 2014, & Comments, 14. (n.d.). Heartbleed: How It Works. Retrieved May 9, 2017, from http://www.pcmag.com/article2/0,2817,2456359,00.asp [8]. Heartbleed Report (2017-01). (n.d.). Retrieved May 08, 2017, from https://www.shodan.io/report/DCPO7BkV [9]. Rainie, L., & Duggan, M. (2014, April 30). Heartbleed’s Impact. Retrieved May 9, 2017, from http://www.pewinternet.org/2014/04/30/heartbleeds-impact/ [12]. Total number of Websites. (n.d.). Retrieved May 12, 2017, from http://www.internetlivestats.com/total-number-of-websites/ src: [7] Shodan on 2017 shows that nearly 200,000 websites (0.0002% [12] of the sites available online) are still vulnerable to HeartBleed [8] Because of these information leakage, as per Pew Research Center, “39% of internet users have changed passwords or canceled accounts; 6% think their personal information was swiped” [9].

SOLUTION

SOLUTION OpenSSL 1.0.1g fixed the Heartbleed bug on 7, April 2014 [10] and enabled it by default. SSL3 structure (s3->rrec) will have the correct record length. If anyone of the below condition is true, as per RFC 6520 sec. 4 [11], the server has to discard the message silently. [5]. A technical view of theOpenSSL ‘Heartbleed’ vulnerability. (n.d.). Retrieved May 8, 2017, from https://www.ibm.com/developerworks/community/files/basic/anonymous/api/library/38218957-7195-4fe9-812a-10b7869e4a87/document/ab12b05b-9f07-4146-8514-18e22bd5408c/media [10]. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Paxson, V. (2014). The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 475–488). New York, NY, USA: ACM. https://doi.org/10.1145/2663716.2663755 [11]. Tuexen, M., Seggelmann, R., & Williams, M. (n.d.). Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension. Retrieved May 9, 2017, from https://tools.ietf.org/html/rfc6520 src: [5]

CONCLUSION

CONCLUSION HeartBleed without any doubt is one of the biggest stain on today’s fast moving internet. The bug went undetected for more than 2 years. Now the question is did anyone else notice it and just not tell the world? And has been using it quietly extracting information ever since? Well, this is a hard question for which we don’t have answer currently. Only time will tell how much damage it caused in the past.

REFERENCES [1]. Acunetix (2017, March 22). TLS/SSL Explained – Examples of a TLS Vulnerability and Attack, Final Part. Retrieved May 09, 2017, from https://www.acunetix.com/blog/articles/tls- vulnerabilities-attacks-final-part/ [2]. Heartbleed. (2017, April 14). In Wikipedia. Retrieved from https://en.wikipedia.org/w/index.php?title=Heartbleed&oldid=775427692 [3]. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Paxson, V. (2014). The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 475–488). New York, NY, USA: ACM. https://doi.org/10.1145/2663716.2663755 [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from https://www.theregister.co.uk/2014/04/09/heartbleed_explained/ [5]. A technical view of theOpenSSL ‘Heartbleed’ vulnerability. (n.d.). Retrieved May 8, 2017, from https://www.ibm.com/developerworks/community/files/basic/anonymous/api/library/38218957 -7195-4fe9-812a-10b7869e4a87/document/ab12b05b-9f07-4146-8514-18e22bd5408c/media [6]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from https://www.theregister.co.uk/2014/04/09/heartbleed_explained/

REFERENCES [7]. Rubenking, B. N. J., April 10, 2014, & Comments, 14. (n.d.). Heartbleed: How It Works. Retrieved May 9, 2017, from http://www.pcmag.com/article2/0,2817,2456359,00.asp [8]. Heartbleed Report (2017-01). (n.d.). Retrieved May 08, 2017, from https://www.shodan.io/report/DCPO7BkV [9]. Rainie, L., & Duggan, M. (2014, April 30). Heartbleed’s Impact. Retrieved May 9, 2017, from http://www.pewinternet.org/2014/04/30/heartbleeds-impact/ [10]. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Paxson, V. (2014). The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 475–488). New York, NY, USA: ACM. https://doi.org/10.1145/2663716.2663755 [11]. Tuexen, M., Seggelmann, R., & Williams, M. (n.d.). Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension. Retrieved May 9, 2017, from https://tools.ietf.org/html/rfc6520 [12]. Total number of Websites. (n.d.). Retrieved May 12, 2017, from http://www.internetlivestats.com/total-number-of-websites/

QUESTIONS!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.