Heartbleed
-
Upload
punit-goswami -
Category
Technology
-
view
234 -
download
2
Transcript of Heartbleed
![Page 1: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/1.jpg)
HeartbleedA Review
![Page 2: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/2.jpg)
What is Heartbleed ?
Acclimatising with the Heartbeat
Protocol
![Page 3: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/3.jpg)
Let’s start with the internet…
• A cheap and reliable method to interconnect machines
![Page 4: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/4.jpg)
Let’s start with the internet…
• In turn provides a robust and “smart” layer of communication, worldwide
![Page 5: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/5.jpg)
Let’s start with the internet…
• But to make this channel “smart”, we need to follow some rules or protocols
![Page 6: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/6.jpg)
How internet works....• The Internet implements cryptography software
named OpenSSL to ensure delivery of messages to legible receivers.
• Open Source
• Free
• Widely adopted and implemented
![Page 7: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/7.jpg)
OpenSSL and Heartbeat Protocol
• The OpenSSL consists of a protocol named Heartbeat
• Negotiates and monitors the availability of a resource.
• Generates a signal that indicates normal operation or to synchronize other parts of a system.
![Page 8: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/8.jpg)
• Is the device on the other end up ?
• Is the device on the other end actually who it declares it is ?
• Device could be a client or a server.
• Platform independent and device scale independent.
Usage of Heartbeat Protocol
![Page 9: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/9.jpg)
Practically.....
• Active login sessions
• Website security certifications
• E-Commerce
• E-Governance
• Internet Banking
• Social networking
![Page 10: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/10.jpg)
HEARTBLEED
The Flaw in Heartbeat Protocol…
![Page 11: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/11.jpg)
How Heartbeat Protocol Works...
• Continuous pinging between devices over network.
• Successful reply ping from the other end denotes that, that device is online.
• No ping back message indicates that the other end is down.
• Both the devices ping each other and reply to each others’ Heartbeat request.
![Page 12: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/12.jpg)
How Heartbeat Protocol Works...
ARGUMENTS of a Heartbeat RequestI. Payload : Contains some text information
which is generated on both the ends.
II. Size : Gives the size of the payload
![Page 13: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/13.jpg)
How Heartbeat Protocol Works...
Device on the other end:
• Finds the Payload in its active memory
• Counts the number of characters to be sent using Size
• Returns the text info
The first device is acknowledged that the other end is online.
![Page 14: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/14.jpg)
Normal Heartbeat Request
![Page 15: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/15.jpg)
The Flaw...
• No bound check mechanism
• Inherent from the C language that this software library is written in.
• Maliciously crafted Heartbeat request with mismatching Payload and Size arguments
would still work.
![Page 16: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/16.jpg)
The Flaw...
Heartbeat request with
• Small Payload argument
• Larger Size argument
Returns extra data from the active memory of the replying device .
Provides unauthorised access to data which should have been hidden and abstracted
![Page 17: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/17.jpg)
Malicious Heartbeat Request
![Page 18: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/18.jpg)
Aftermath...
• Platform independence of OpenSSL makes practically every machine on the internet vulnerable to this flaw.
• Not a bug or a virus, but an inherent flaw. Thus security breaches don’t get logged or detected, ever.
• This bleeding of confidential data can happen to both sides – the servers as well as the clients.
![Page 19: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/19.jpg)
Aftermath...
• Only 64 kB of data can be sent back with a Heartbeat reply. But has no limit on how many times these 64kB chunks could be retrieved.
• Not only devices but even services can be exploited.
![Page 20: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/20.jpg)
What's worse...?
• Security certifications could be stolen, allowing malicious impersonation of secure services.
• Changing your username or password credential doesn’t help if the service is still not patched up against the vulnerability.
• Since the breach never gets detected, one can never know if they have been attacked or not.
![Page 21: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/21.jpg)
What's worse...?
• The ones who updated got affected, thus breaking the myth of general practice of “keeping it updated”.
• With a compromised security certification key, one can easily decrypt previous information transfers, without ever getting detected.
• More than 67 percent of servers on Earth use OpenSSL, including Google, Facebook, Yahoo, etc.
![Page 22: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/22.jpg)
TACKLING HEARTBLEED
Getting over a Heartbleed…
![Page 23: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/23.jpg)
Tackling Heartbleed
Three primary approaches to remove this flaw:
• Implementing the updated version 1.0.1g of OpenSSL which has patched this flaw.
• Removing the Heartbleed functionality altogether by recompiling the source code without the Heartbleed protocol.
• Implementing the patch by oneself by correcting and re-compiling the source code.
![Page 24: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/24.jpg)
Tackling Heartbleed
• Stolen security keys need to be revoked and re-allocated.
What an end-user can do ?• Do nothing. Refrain from logging into services
until they are patched.
![Page 25: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/25.jpg)
LESSONS LEARNT
What the most horrifying breach in Internet history teaches us …
![Page 26: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/26.jpg)
Lessons Learnt
• Open Source makes flaw discovery and correction a faster process.
• Inclusion of new features needs more scrutinisation.
• Open Source projects need to be funded well.
• Adoption of new piece of code should be accompanied by negative testing of it.
![Page 27: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/27.jpg)
Lessons Learnt
• You are never completely safe, even if you follow the best practices.
• There are no “best practices”.
![Page 28: Heartbleed](https://reader031.fdocuments.us/reader031/viewer/2022032421/55a78a731a28ab206e8b457d/html5/thumbnails/28.jpg)