heartbleed
TRANSCRIPT
HeartbleedA Review
What is Heartbleed ?
Acclimatising with the Heartbeat
Protocol
Let’s start with the internet…
• A cheap and reliable method to interconnect machines
Let’s start with the internet…
• In turn provides a robust and “smart” layer of communication, worldwide
Let’s start with the internet…
• But to make this channel “smart”, we need to follow some rules or protocols
How internet works....• The Internet implements cryptography software
named OpenSSL to ensure delivery of messages to legible receivers.
• Open Source
• Free
• Widely adopted and implemented
OpenSSL and Heartbeat Protocol
• The OpenSSL consists of a protocol named Heartbeat
• Negotiates and monitors the availability of a resource.
• Generates a signal that indicates normal operation or to synchronize other parts of a system.
• Is the device on the other end up ?
• Is the device on the other end actually who it declares it is ?
• Device could be a client or a server.
• Platform independent and device scale independent.
Usage of Heartbeat Protocol
Practically.....
• Active login sessions
• Website security certifications
• E-Commerce
• E-Governance
• Internet Banking
• Social networking
HEARTBLEED
The Flaw in Heartbeat Protocol…
How Heartbeat Protocol Works...
• Continuous pinging between devices over network.
• Successful reply ping from the other end denotes that, that device is online.
• No ping back message indicates that the other end is down.
• Both the devices ping each other and reply to each others’ Heartbeat request.
How Heartbeat Protocol Works...
ARGUMENTS of a Heartbeat RequestI. Payload : Contains some text information
which is generated on both the ends.
II. Size : Gives the size of the payload
How Heartbeat Protocol Works...
Device on the other end:
• Finds the Payload in its active memory
• Counts the number of characters to be sent using Size
• Returns the text info
The first device is acknowledged that the other end is online.
Normal Heartbeat Request
The Flaw...
• No bound check mechanism
• Inherent from the C language that this software library is written in.
• Maliciously crafted Heartbeat request with mismatching Payload and Size arguments
would still work.
The Flaw...
Heartbeat request with
• Small Payload argument
• Larger Size argument
Returns extra data from the active memory of the replying device .
Provides unauthorised access to data which should have been hidden and abstracted
Malicious Heartbeat Request
Aftermath...
• Platform independence of OpenSSL makes practically every machine on the internet vulnerable to this flaw.
• Not a bug or a virus, but an inherent flaw. Thus security breaches don’t get logged or detected, ever.
• This bleeding of confidential data can happen to both sides – the servers as well as the clients.
Aftermath...
• Only 64 kB of data can be sent back with a Heartbeat reply. But has no limit on how many times these 64kB chunks could be retrieved.
• Not only devices but even services can be exploited.
What's worse...?
• Security certifications could be stolen, allowing malicious impersonation of secure services.
• Changing your username or password credential doesn’t help if the service is still not patched up against the vulnerability.
• Since the breach never gets detected, one can never know if they have been attacked or not.
What's worse...?
• The ones who updated got affected, thus breaking the myth of general practice of “keeping it updated”.
• With a compromised security certification key, one can easily decrypt previous information transfers, without ever getting detected.
• More than 67 percent of servers on Earth use OpenSSL, including Google, Facebook, Yahoo, etc.
TACKLING HEARTBLEED
Getting over a Heartbleed…
Tackling Heartbleed
Three primary approaches to remove this flaw:
• Implementing the updated version 1.0.1g of OpenSSL which has patched this flaw.
• Removing the Heartbleed functionality altogether by recompiling the source code without the Heartbleed protocol.
• Implementing the patch by oneself by correcting and re-compiling the source code.
Tackling Heartbleed
• Stolen security keys need to be revoked and re-allocated.
What an end-user can do ?• Do nothing. Refrain from logging into services
until they are patched.
LESSONS LEARNT
What the most horrifying breach in Internet history teaches us …
Lessons Learnt
• Open Source makes flaw discovery and correction a faster process.
• Inclusion of new features needs more scrutinisation.
• Open Source projects need to be funded well.
• Adoption of new piece of code should be accompanied by negative testing of it.
Lessons Learnt
• You are never completely safe, even if you follow the best practices.
• There are no “best practices”.
