Presentation is loading. Please wait.

Presentation is loading. Please wait.

HEARTBLEED: Technical Description and Fixes

Published byCleopatra Richard Modified over 6 years ago

Similar presentations

Presentation on theme: "HEARTBLEED: Technical Description and Fixes"— Presentation transcript:

1 HEARTBLEED: Technical Description and Fixes
- Syed Shamsudheen

2 HEARTBEAT

3 HeartBeat Extension to TLS - keep-alive – Similar to Ping
Alternate for costly process (continuous data transfer) to determine whether the peer is alive or not. For every Request message send by client, Server has to answer that is send reply to client immediately. Implemented on 2012 by RFC 6520 [11]

4 HeartBeat HeartbeatRequest message and HeartbeatResponse message.
HeartbeatRequest message from client can arrive almost at any time during the lifetime of a connection. Not more than one HeartbeatRequest message in flight at a time. No response within a particular amount time – TimeOut! – TLS ->Terminate Connection – DTLS -> Retransmit HeartbeatRequest message. [1]. Acunetix (2017, March 22). TLS/SSL Explained – Examples of a TLS Vulnerability and Attack, Final Part. Retrieved May 09, 2017, from src: [1]

5 HEARTBLEED

6 HeartBleed Found by Neel Mehta, Google computer security employee, on 21, March   ‘HeartBleed’ = ‘Heart’ (vulnerability in HeartBeat protocol) + ‘Bleed’ (data leakage). Happens due to improper input validation of HeartbeatRequest message.

7 HeartBleed [2]. Heartbleed. (2017, April 14). In Wikipedia. Retrieved from src: [2] Not everytime sensitive information will be received as the location of the data on the server side stored will be random.

8 TECHNICAL DETAIL

9 OPENSSL OpenSSL is an open source written in C language which is used for SSL/TLS protocols with HeartBeat extension. It was initiated on 1998, as of 2014, two third of the sites were using OpenSSL.

10 HeartBeatMessage in OPENSSL
src: [3] [3]. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Paxson, V. (2014). The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 475–488). New York, NY, USA: ACM. [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from src: [4]

11 Processing HeartBeatRequest Message
src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from

12 Processing HeartBeatRequest Message
src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from

13 Processing HeartBeatRequest Message
src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from

14 Processing HeartBeatRequest Message
src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from

15 HeartBeatResponse Message
src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from

16 HeartBeatResponse Message
src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from

17 HeartBeatResponse Message
src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from

18 HeartBeatResponse Message
src: [4] [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from

19 In Memory Buffer UnderFlow src: [5]
[5]. A technical view of theOpenSSL ‘Heartbleed’ vulnerability. (n.d.). Retrieved May 8, 2017, from src: [5]

20 IMPACT

21 Impact Clients sensitive information - passwords, private communication messages, financial details, anything that is worth protecting. Servers sensitive information - session ID, different tokens, Secret keys.  Mail servers, firewalls, VPN, Android, TOR, operating systems (like Debian Wheezy, Ubuntu LTS and more) that shipped potential vulnerable OpenSSL [3]. [3]. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Paxson, V. (2014). The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 475–488). New York, NY, USA: ACM.

22 HeartBleed on YAHOO! src: [6]
[6]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from src: [6]

23 HeartBleed on Websites!
[7]. Rubenking, B. N. J., April 10, 2014, & Comments, 14. (n.d.). Heartbleed: How It Works. Retrieved May 9, 2017, from [8]. Heartbleed Report ( ). (n.d.). Retrieved May 08, 2017, from [9]. Rainie, L., & Duggan, M. (2014, April 30). Heartbleed’s Impact. Retrieved May 9, 2017, from [12]. Total number of Websites. (n.d.). Retrieved May 12, 2017, from src: [7] Shodan on 2017 shows that nearly 200,000 websites (0.0002% [12] of the sites available online) are still vulnerable to HeartBleed [8] Because of these information leakage, as per Pew Research Center, “39% of internet users have changed passwords or canceled accounts; 6% think their personal information was swiped” [9].

24 SOLUTION

25 SOLUTION OpenSSL 1.0.1g fixed the Heartbleed bug on 7, April 2014 [10] and enabled it by default. SSL3 structure (s3->rrec) will have the correct record length. If anyone of the below condition is true, as per RFC 6520 sec. 4 [11], the server has to discard the message silently. [5]. A technical view of theOpenSSL ‘Heartbleed’ vulnerability. (n.d.). Retrieved May 8, 2017, from [10]. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Paxson, V. (2014). The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 475–488). New York, NY, USA: ACM. [11]. Tuexen, M., Seggelmann, R., & Williams, M. (n.d.). Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension. Retrieved May 9, 2017, from src: [5]

26 CONCLUSION

27 CONCLUSION HeartBleed without any doubt is one of the biggest stain on today’s fast moving internet. The bug went undetected for more than 2 years. Now the question is did anyone else notice it and just not tell the world? And has been using it quietly extracting information ever since? Well, this is a hard question for which we don’t have answer currently. Only time will tell how much damage it caused in the past.

28 REFERENCES [1]. Acunetix (2017, March 22). TLS/SSL Explained – Examples of a TLS Vulnerability and Attack, Final Part. Retrieved May 09, 2017, from vulnerabilities-attacks-final-part/ [2]. Heartbleed. (2017, April 14). In Wikipedia. Retrieved from [3]. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Paxson, V. (2014). The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 475–488). New York, NY, USA: ACM. [4]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from [5]. A technical view of theOpenSSL ‘Heartbleed’ vulnerability. (n.d.). Retrieved May 8, 2017, from fe9-812a-10b7869e4a87/document/ab12b05b-9f e22bd5408c/media [6]. Anatomy of OpenSSL’s Heartbleed: Just four bytes trigger horror bug. Retrieved May 9, 2017, from

29 REFERENCES [7]. Rubenking, B. N. J., April 10, 2014, & Comments, 14. (n.d.). Heartbleed: How It Works. Retrieved May 9, 2017, from [8]. Heartbleed Report ( ). (n.d.). Retrieved May 08, 2017, from [9]. Rainie, L., & Duggan, M. (2014, April 30). Heartbleed’s Impact. Retrieved May 9, 2017, from [10]. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Paxson, V. (2014). The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (pp. 475–488). New York, NY, USA: ACM. [11]. Tuexen, M., Seggelmann, R., & Williams, M. (n.d.). Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension. Retrieved May 9, 2017, from [12]. Total number of Websites. (n.d.). Retrieved May 12, 2017, from

30 QUESTIONS!

Download ppt "HEARTBLEED: Technical Description and Fixes"

Similar presentations

Secure Socket Layer.

Secure Socket Layer.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Security Through Encryption. Different ways to achieve security of communication data Keep things under lock and key – Physical Encryption Through password.

Security Through Encryption. Different ways to achieve security of communication data Keep things under lock and key – Physical Encryption Through password.
CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.

CPS 290 Computer Security Heartbleed Bug Key Exchange RSA Analysis RSA Performance CPS 290Page 1.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.

DNS: Revising the Current Protocol Matt Gustafson Matt Weaver CS522 Computer Communications University of Colorado, Colorado Springs.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Process-to-Process Delivery:

Process-to-Process Delivery:
Serge Borso serge@sergeborso.com The Heartbleed Bug Serge Borso serge@sergeborso.com.

Serge Borso The Heartbleed Bug Serge Borso
What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,

What is Heartbleed? Heartbleed is a vulnerability in OpenSSL software. OpenSSL is encryption software that accesses websites through a “secure” connection,
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: 102088 March 10, 2001.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Zakir Durumeric, James Kasten,David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicholas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer,

Zakir Durumeric, James Kasten,David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicholas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer,
Security. Security Flaws Errors that can be exploited by attackers Constantly exploited.

Security. Security Flaws Errors that can be exploited by attackers Constantly exploited.
Presented by Teererai Marange. Background Open SSL Hearbeat extension Heartbleed vulnerability Description of work Methodology Summary of results Vulnerable.

Presented by Teererai Marange. Background Open SSL Hearbeat extension Heartbleed vulnerability Description of work Methodology Summary of results Vulnerable.
TCP/IP (Transmission Control Protocol / Internet Protocol)

TCP/IP (Transmission Control Protocol / Internet Protocol)
P.O.P. A presentation brought to you by Thomas. Topics Introduction General Information Area of use Functionality The alternative way POP3 vs. IMAP Conclusion.

P.O.P. A presentation brought to you by Thomas. Topics Introduction General Information Area of use Functionality The alternative way POP3 vs. IMAP Conclusion.

Similar presentations

Ads by Google