Bleeding Hearts

Az OpenSSL Heartbleed bug okai és következményei

Varga-Perke Bálint, Silent Signal Kft.

Az okok

OpenSSL

  • Internetes HTTPS forgalom kb. 2/3-a
  • "Wanted to learn handling large numbers in C"
  • ~450.000 LoC
  • ~1M USD/Y
  • "It just works"

"TLS is based on reliable protocols, but there is not necessarily a feature available to keep the connection alive without continuous data transfer.

The Heartbeat Extension as described in this document overcomes these limitations. The user can use the new HeartbeatRequest message, which has to be answered by the peer with a HeartbeartResponse immediately. To perform PMTU discovery, HeartbeatRequest messages containing padding can be used as probe packets, as described in [RFC4821]."


unsigned char *p = &s->s3->rrec.data[0], *pl;
//...
hbtype = *p++;
n2s(p, payload); // read payload length
pl = p;
//...
buffer = OPENSSL_malloc(1 + 2 + payload + padding);
bp = buffer;
//...
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp); // write payload length
memcpy(bp, pl, payload); // memcpy(void * dst,const void * src,size_t num)
"But around that time OpenSSL adds a wrapper around malloc & free so that the library will cache memory on it's own, and not free it to the protective malloc."

A következmények

És a privát kulcsok?

https://github.com/robertdavidgraham/heartleech

  • A (p,q,d) hármason kívül más tárolt paraméterekből is kiszámítható a privát kulcs
    • ld. Kínai maradéktétel
  • A tanúsítvány érzékeny részeit többször mozgatják a memóriában

TODO

The minute we identified the severity of the threat, we declared what we call a “Security Prio1” status[...]
With all hands on deck, we were able to work with rapid efficiency, and we patched all our servers just within a few hours.

[...]

  • Applied the security patch to every one of our known vulnerable servers–more than 100 of them
  • Identified corner-cases, such as services that didn’t restart automatically
  • Detected and assessed third-party service providers (e.g. Amazon ELBs)
  • Changed our SSL certificates, and requested the revocation of the old ones
  • Wrote monitoring to detect which services were unpatched or were using compromised certificates
  • Performed a forced log-out of every user to renew their session cookies. (Since we use signed session cookies, we also needed to invalidate the old ones)
  • Assessed the impact on the users

Heartbleed Defeated by Prezi

2FA?

Privátkulcs-csere

A CA-k szemszögéből...

Intranetes rendszerek?

Szerver oldal

  • Web kiszolgálók
  • Levelezés
  • SSL VPN
  • <A Te (D)TLS alapú szolgáltatásod>

Kliensek!

  • Web böngészők
  • Kliensként viselkedő alkalmazások
    • Központosított hitelesítés (pl. OpenID)
    • Nyilvános API-k felhasználói
    • Crawlerek, spiderek
    • Stb...

Kritikus internetes infrastruktúrák

  • Azonosítás
  • Támogatás
  • Audit

The Internet Bug Bounty | CloudFlare Challenge | Is TrueCrypt Audited Yet?

LibreSSL

OpenSSL Valhalla Rampage


--- src/lib/libssl/src/crypto/bn/bn_lib.c   2014/04/17 14:37:48 1.18
+++ src/lib/libssl/src/crypto/bn/bn_lib.c   2014/04/23 20:14:59 1.19
@@ -345,10 +345,6 @@ static BN_ULONG *bn_expand_internal(const BIGNUM *b, i
    case 3: A[2]=B[2];
    case 2: A[1]=B[1];
    case 1: A[0]=B[0];
-   case 0: /* workaround for ultrix cc: without 'case 0', the optimizer does
-            * the switch table by doing a=top&3; a--; goto jump_table[a];
-            * which fails for top== 0 */

Köszönöm a figyelmet!

vpbalint@silentsignal.hu

http://silentsignal.hu | http://buhera.blog.hu

@buherablog