Heart Bleed Bug - A case study (Course: Cryptography and Network Security)
0 likes194 views
A case study on Heart Bleed bug.
![20IT021 CRYPTOGRAPHY AND NETWORK SECURITY 4
What’s wrong with implementation???
Heartbeat message structure:
struct
{
HeartbeatMessageType type;
uint16 payload_length;
opaque payload[HeartbeatMessage.payload_length];
opaque padding[padding_length];
} HeartbeatMessage;
/* Read type and payload length first */
hbtype = *p++;
n2s(p, payload);
pl = p;
Incoming Heartbeat message:
/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);
Response Heartbeat message:
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;
Fixed Incoming Heartbeat message:](https://image.slidesharecdn.com/heart-bleed-20it021-250710154455-7d534987/85/Heart-Bleed-Bug-A-case-study-Course-Cryptography-and-Network-Security-4-320.jpg)
Heart Bleed Bug - A case study (Course: Cryptography and Network Security)
- 1. Heartbleed Bug– A case study Adri Jovin J J, M.Tech., Ph.D. 20IT021 CRYPTOGRAPHY AND NETWORK SECURITY
- 2. 20IT021 CRYPTOGRAPHY AND NETWORK SECURITY 2 Heartbleed Bug • Vulnerability in OpenSSL cryptographic software library • Allows stealing of information by the SSL/TLS encryption • SSL/TLS- security and privacy over the internet for most applications • Discovered by Riku, Antti and Matti at Codenomicon and Neel Mehta of Google Security and reported on April, 2014 • Allows attackers to eavesdrop on communications steal data directly from the services and users and impersonate services and users } Release of message content Masquerading
- 3. 20IT021 CRYPTOGRAPHY AND NETWORK SECURITY 3 Why heartbleed? Bug discovered in the heartbeat extension of TLS Exploitation leaked contents from server to client and from client to server Left a large amount of private keys and other secrets exposed to the internet Is the protocol specification wrong??? No….problem with implementation…a programming mistake
- 4. 20IT021 CRYPTOGRAPHY AND NETWORK SECURITY 4 What’s wrong with implementation??? Heartbeat message structure: struct { HeartbeatMessageType type; uint16 payload_length; opaque payload[HeartbeatMessage.payload_length]; opaque padding[padding_length]; } HeartbeatMessage; /* Read type and payload length first */ hbtype = *p++; n2s(p, payload); pl = p; Incoming Heartbeat message: /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); memcpy(bp, pl, payload); Response Heartbeat message: hbtype = *p++; n2s(p, payload); if (1 + 2 + payload + 16 > s->s3->rrec.length) return 0; /* silently discard per RFC 6520 sec. 4 */ pl = p; Fixed Incoming Heartbeat message:
- 5. 20IT021 CRYPTOGRAPHY AND NETWORK SECURITY 5 What is leaked? 1. Primary key material 2. Secondary key material 3. Protected content 4. Collateral
- 6. 20IT021 CRYPTOGRAPHY AND NETWORK SECURITY 6 Leaked primary key material and recovery Leakage • Encryption keys • Leaked key allows attacker to decrypt any past or future traffic to protected services and impersonate Recovery • Requires vulnerability patch • Revocation of compromised keys • Reissuing/redistribution of new keys
- 7. 20IT021 CRYPTOGRAPHY AND NETWORK SECURITY 7 Leaked secondary key material and recovery Leakage • User credentials used in vulnerable services Recovery • Restore trust • Users can change their password and possible encryption keys • Session keys and session cookies should be invalidated
- 8. 20IT021 CRYPTOGRAPHY AND NETWORK SECURITY 8 Leaked protected content and recovery Leakage • Actual content handled by the vulnerable service (e.g.)personal/financial details Recovery • Provider should inform users of the leakage • Restore trust to the primary and secondary key material
- 9. 20IT021 CRYPTOGRAPHY AND NETWORK SECURITY 9 Leaked collateral and recovery Leakage • Other details exposed to the attacker in the leaked memory content • Technical details such as memory addresses and security measures such as canaries Recovery • Can be fixed using patch
- 10. 20IT021 CRYPTOGRAPHY AND NETWORK SECURITY 10 Vulnerability of OpenSSL • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable • OpenSSL 1.0.1g is NOT vulnerable • OpenSSL 1.0.0 branch is NOT vulnerable • OpenSSL 0.9.8 branch is NOT vulnerable
- 11. 20IT021 CRYPTOGRAPHY AND NETWORK SECURITY 11 Vulnerable Operating Systems • Debian Wheezy (stable), OpenSSL 1.0.1e-2+deb7u4 • Ubuntu 12.04.4 LTS, OpenSSL 1.0.1-4ubuntu5.11 • CentOS 6.5, OpenSSL 1.0.1e-15 • Fedora 18, OpenSSL 1.0.1e-4 • OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May 2012) • FreeBSD 10.0 - OpenSSL 1.0.1e 11 Feb 2013 • NetBSD 5.0.2 (OpenSSL 1.0.1e) • OpenSUSE 12.2 (OpenSSL 1.0.1c)
- 12. 20IT021 CRYPTOGRAPHY AND NETWORK SECURITY 12 Non-vulnerable Operating Systems • Debian Squeeze (oldstable), OpenSSL 0.9.8o-4squeeze14 • SUSE Linux Enterprise Server • FreeBSD 8.4 - OpenSSL 0.9.8y 5 Feb 2013 • FreeBSD 9.2 - OpenSSL 0.9.8y 5 Feb 2013 • FreeBSD 10.0p1 - OpenSSL 1.0.1g (At 8 Apr 18:27:46 2014 UTC) • FreeBSD Ports - OpenSSL 1.0.1g (At 7 Apr 21:46:40 2014 UTC)
- 13. 20IT021 CRYPTOGRAPHY AND NETWORK SECURITY 13 References The Heartbleed Bug “https://heartbleed.com/” What is the Heartbleed bug, how does it work and how was it fixed? “https://www.csoonline.com/article/3223203/what-is- the-heartbleed-bug-how-does-it-work-and-how-was-it-fixed.html” Anatomy of OpenSSL's Heartbleed: Just four bytes trigger horror bug “https://www.theregister.co.uk/2014/04/09/heartbleed_explained/”