Languages
Pages
Legal
Security vulnerabilities
Heartbleed & Buffer overflow
By Nazar Mota
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
AgendaØ Heartbleed
Ø Buffer overflow
Ø Q&A
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
Heartbleed
© 2014 GlobalLogic Inc.
Heartbleed● Is called one of the biggest security threats the Internet has ever seen. ● Described as catastrophic by experts: 'On the scale of 1 to 10, this is an 11'.● Since 1.03.2012(!) - 7.04.2014● Reveal up to 64k of memory to a connected client or server● Allows stealing the information protected, under normal conditions
© 2014 GlobalLogic Inc.
Impacts
● 1/3 of Internet (According to the Internet security company Netcraft, around 500,000 sites)● Dropbox, Google, Yahoo, Facebook, Istagram, Flickr, Youtube, Github● Online banking, VPN● IP phones, Routers, Medical devices, Smart TV sets, embedded devices and millions of other devices
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
Ø Heartbleed
Ø Buffer overflow
Ø Q&A
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
© 2014 GlobalLogic Inc.
C – Avoid (no bounds checks): strcpy(), strcat(), sprintf(), scanf()Use safer versions (with bounds checking): strncpy(), strncat(), fgets()Must pass the right buffer size to functions!C++: STL string class handles allocationUnlike compiled languages (C/C++), interpreted ones (Java/C#) enforce type safety, raise exceptions for buffer overflow
Safe String Libraries
Thank You
Q & A
Top Related