An Analysis of Heartbleed

Author:Jeff Propes
Date:June 20, 2014

Follow along with me at http://self2014.grimoi.re/heartbleed/

Overview

What is Heartbleed?

In-depth Exploration

Impact & Implications

Mitigation Strategies

Definitions

SSL - A protocol that provides a secure communications channel for data transfer

HTTP - The protocol used to deliver most web content to end users

HTTPS - Wrap SSL around HTTP so that web content is delivered securely

OpenSSL - An open source library that implements the SSL protocol and provides other cryptographic services

Want to know more?

Come to Saturday's presentations for more information about HTTPS and OpenSSL

What is Heartbleed?

A vulnerability in OpenSSL's implementation of the heartbeat function

Heartbeat is used to keep an SSL channel from timing out and closing

Creating an SSL channel is computationally expensive

Client requests a heartbeat from the server and includes an arbitrary string

Server responds with that same string, proving the connection is still active

What is Heartbleed? (cont.)

On the server, heartbeats are handled by the tls1_heartbeat_process function

This function receives a data structure with two important items:

It then copies the string into a new data structure to be sent back to the client

What is Heartbleed? (cont.)

The function did not verify that the length matched the string supplied by the client

If the length is longer than the string, then the tls1_heartbeat_process function copied more data than it was supposed to

This is called a missing bounds check

Common error in C programming when dealing with pointers

Heartbleed Illustrated

images/xkcd1.png

Copyright Randall Munroe, http://xkcd.com/1354/

Used with permission under license CC BY-NC 2.5 http://creativecommons.org/licenses/by-nc/2.5/

Heartbleed Illustrated

images/xkcd2.png

Copyright Randall Munroe, http://xkcd.com/1354/

Used with permission under license CC BY-NC 2.5 http://creativecommons.org/licenses/by-nc/2.5/

Heartbleed Illustrated

images/xkcd3.png

Copyright Randall Munroe, http://xkcd.com/1354/

Used with permission under license CC BY-NC 2.5 http://creativecommons.org/licenses/by-nc/2.5/

Time For Some Code!

The heartbeat function first appears in OpenSSL v1.0.1 in the ssl/t1_lib.c file

images/t1_lib_1.0.1_part1.png

The function reads the string length (payload) out of the data structure

Time For Some Code!

It creates a new space big enough to hold the string as reported by the client ...

images/t1_lib_1.0.1_part2.png

Then it blindly copies memory into this new space

This is what we call in the industry ...

BIG OOPS

A very technical term

So that's bad, huh?

Whatever data is in RAM immediately after the string gets returned to the client

Anything could be stored in that RAM, from random junk and gibberish, to:

Just to name a few things

It Could Be Worse ...

The memory address of the data structure is not fixed

For each heartbeat request, it can show up in a different place in RAM

Thus, by repeatedly sending malformed heartbeat requests, an attacker can "sample" lots of bytes of RAM

Example: http://heartbleed.insign.ch/wordpress/

It's Worse!

The SSL mechanisms happen at a layer below HTTP traffic

There is usually no logging done at this layer

Thus, an attacker can silently pillage the contents of your server's RAM without leaving a trace

THIS IS VERY NOT GOOD!

Impact

The vulnerability was reported on April 8, 2014, but it had been in published code since 2011

Data could have been stolen for years from vulnerable servers

Private keys for SSL certificates could have been stolen, allowing attackers to decrypt HTTPS transactions

Or worse yet, create duplicate SSL certificates and masquerade as legitimate servers to harvest data

Impact

Was anyone hacked before the vulnerability was fixed?

Mitigation

So we know this is Really Bad. What happened afterwards?

Distributions immediately posted an updated package for OpenSSL that disabled the heartbeat functionality

After patching their systems, organizations began revoking and reissuing SSL certificates with new private keys

OpenSSL patched the vulnerability in v1.0.1g

Distributions back-ported the patch into whatever version they were providing to their end users

Sysadmins plumbed the depths of their beer steins even more than before

The Patch

OpenSSL added two bounds checks to the heartbeat code:

images/t1_lib_1.0.1g.png

An invalid heartbeat request is now silently thrown away

How To Fix Your Servers

Patch your systems to the latest version of OpenSSL provided by your distribution

After patching, STOP AND START YOUR WEB SERVER

Look for any other software using OpenSSL with the following command: lsof |grep libssl

A Parting Thought

There's one thing we didn't cover:

Q: Why did they call it the Heartbleed bug?

A: Because the heartbeat function bleeds the contents of RAM

And because it sounded sexy and grabbed attention

Fin

Thanks for coming!

This presentation can be found permanently at http://self2014.grimoi.re/heartbleed/

More information on SSL and HTTPS can be had tomorrow: