The Heartbleed Bug and Attack Background: the Heartbeat Protocol - PowerPoint PPT Presentation

Oct 05, 2022 •108 likes •196 views

The Heartbleed Bug and Attack Background: the Heartbeat Protocol TLS/SSL protocols provide a secure channel between two communicating applications TLS/SSL is widely used Heartbeat extension: implement keep-alive feature of TLS.

The Heartbleed Bug and Attack
Background: the Heartbeat Protocol • TLS/SSL protocols provide a secure channel between two communicating applications • TLS/SSL is widely used • Heartbeat extension: implement keep-alive feature of TLS. • Heartbleed bug is an implementation flaw in TLS/SSL heartbeat extension.
How Response Packet is Constructed Problem: how much is copied depends on the value contained in the payload length field. What if this value is larger than the actual payload size?
Launch the Attack Attack results: Some data from the server’s memory also got copied into the response packet, which will be sent out
Launch the Heartbleed Attack • 0x0016 (22) is placed in the length field. Which exactly matches with the actual length of the payload. • We play with this length field to perform our attack in the next slide
Launch the Heartbleed Attack We got some secret from the server
Fixing the Heartbleed Bug • Simply update your system’s OpenSSL library. The following two commands can be used for it: • The following code shows how the OpenSSL library is fixed
Summary • Heartbeat protocol • The flaw in the heartbeat protocol • Heartbleed bug • How to launch the attack

Download Presentation

Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Heartbleed Presented by Duc Tran Agenda Background TLS OpenSSL TLS

Heartbleed Presented by Duc Tran Agenda Background TLS OpenSSL TLS Heartbeat Extension The Hearbleed Bug Whos Vulnerable Demo Why its bad Protections Background What is Transport

562 views • 17 slides

Cyber(space) Incidents 1 IS TV4 attack TV5Monde went black (2015)

Cyber(space) Incidents 1 IS TV4 attack TV5Monde went black (2015) Heartbleed: Wikileaks Revelations worst vulnerability ever secret hacking tools: IoT (2014; in open SSL) (democratic control?, 2017)

715 views • 42 slides

The HeartBeat model A platform abstraction enabling fast prototyping of real-time applications on

The HeartBeat model A platform abstraction enabling fast prototyping of real-time applications on NoC-based MPSoC on FPGA Francesco Robino, Johnny Oberg KTH Royal Institute of Technology ReCoSoC 2013 F. Robino (KTH) The HeartBeat model

391 views • 16 slides

ISE331: Snowden Attack 1 Ou Outline of f Topics Covered Snowdens background and how he

ISE331: Snowden Attack 1 Ou Outline of f Topics Covered Snowdens background and how he got to the position of being able to leak confidential information from the CIA How Snowden planned and performed the attack The method used

264 views • 24 slides

2/15/2016 HEARING YOUR HEARTBEAT God has given each of us a special SHAPE Spiritual gifts (what

2/15/2016 HEARING YOUR HEARTBEAT God has given each of us a special SHAPE Spiritual gifts (what I am gifted to do) Heart (what I love to do) Abilities (what I am good at) Personality (how I express myself) Experience (what I have been

513 views • 6 slides

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides

THE MAGNETIC HEARTBEAT OF THE SUN Diagnosing Pulses in the Solar MgII Index Using Wavelet

THE MAGNETIC HEARTBEAT OF THE SUN Diagnosing Pulses in the Solar MgII Index Using Wavelet Analysis Lindsay Rand Carleton College Northfield, MN Odele Coddington and Martin Snow Laboratory of Atmospheric Space Physics Boulder, CO Solar

503 views • 25 slides

Xinyu Wang 19-03-28 NSEC Lab OUTLINE Background About Membership Inference Attack

Xinyu Wang 19-03-28 NSEC Lab OUTLINE Background About Membership Inference Attack Commentary on Previous Work Proposed Attacks Proposed Defenses Conclusion BACKGROUND Training data can be sensitive: Financial data

883 views • 21 slides

OpenSSL after HeartBleed Tim Hudson Cryptsoft, OpenSSL Team Rich Salz Akamai Technologies,

OpenSSL after HeartBleed Tim Hudson Cryptsoft, OpenSSL Team Rich Salz Akamai Technologies, OpenSSL Team The most important date April 3, 2014 LinuxCon/Europe 2016 2 The most important date April 3, 2014 HeartBleed Re-key the

755 views • 34 slides

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com Overview of Talk l Introduction l Background material l Attack class l Example attack l Popular questions l Extensions UCD Vulnerabilities Group l

759 views • 24 slides

A Collusion Attack on Pairwise Key Presdistribution Schemes for Distributed Sensor Networks

Introduction & background Key-swapping collusion attack Analysis Discussion & Conclusions A Collusion Attack on Pairwise Key Presdistribution Schemes for Distributed Sensor Networks Tyler W Moore University of Cambridge Computer

773 views • 19 slides

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning

H Healing Heartbleed li H bl d Vulnerability Mitigation with Internet wide Scanning Vulnerability Mitigation with Internet wide Scanning J. Alex Halderman Mining Your Ps and Qs: Widespread Weak Keys in Network Devices Nadia Heninger, Zakir

640 views • 53 slides

Towards a sustainable solution to open source sustainability Tobie Langel, Principal, UnlockOpen

Towards a sustainable solution to open source sustainability Tobie Langel, Principal, UnlockOpen The Heartbleed Bug Heartbleed bug impact ! 4.5 MILLION The number of US patient records whose confidentiality was compromised. " $500

887 views • 39 slides

The Matter of Heartbleed IMC 2014 Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro

The Matter of Heartbleed IMC 2014 Zakir Durumeric, Frank Li, James Kasten, Johanna Amann, Jethro Beekman, Mathias Payer, Nicholas Weaver, David Adrian, Vern Paxson, Michael Bailey, J. Alex Halderman U.C. Berkeley CS294-105 Fall 2014 1

705 views • 17 slides

Tiger Attack z Crisis By: JennaGrace Morrison z Topeka Zoo Background Nonprofit in Topeka,

Topeka Zoo Tiger Attack z Crisis By: JennaGrace Morrison z Topeka Zoo Background Nonprofit in Topeka, Kansas Works with other zoos by providing research regarding conservation efforts z Crisis April 20, 2019: zookeeper was

223 views • 9 slides

Testing TLS Hubert Kario Quality Engineer 24-10-2015 2014 Heartbleed 24-10-2015 3/55

Testing TLS Hubert Kario Quality Engineer 24-10-2015 2014 Heartbleed 24-10-2015 3/55 OpenSSL CCS bug 24-10-2015 4/55 gotofail 24-10-2015 5/55 Certifjcate handling 24-10-2015 6/55 CVE-2014-6321 in schannel a.k.a. Winshock

774 views • 55 slides

Extracting Logical Hierarchical Structure of HTML Documents Based on Headings Tomohiro Manabe and

Extracting Logical Hierarchical Structure of HTML Documents Based on Headings Tomohiro Manabe and Keishi Tajima Graduate School of Informatics, Kyoto Univ. Sakyo, Kyoto 606-8501 Japan {manabe@dl.kuis, tajima@i}.kyoto-u.ac.jp Background

1.2k views • 64 slides

$#ifndef POINT_H_ #define POINT_H_ typedef struct { float x; float y; } Point; Point$

#ifndef POINT_H_ #define POINT_H_ typedef struct { float x; float y; } Point; Point

#ifndef POINT_H_ #define POINT_H_ typedef struct { float x; float y; } Point; Point makePoint(float x, float y); Point midPoint(Point p1, Point p2); #endif

739 views • 8 slides

INFN Experience with Layer-2 Services across GANT and the DataTAG Testbed March 15, 2004

INFN Experience with Layer-2 Services across GANT and the DataTAG Testbed March 15, 2004 Tiziana Ferrari INFN - CNAF DataTAG is a project funded by the European Com m ission GNEW2004 15-16/ 03/ 2004 under contract I ST- 2001- 32459

563 views • 16 slides

GENI Exploring Networks of the Future Now going live across the US! GENI Project Office APAN

8/25/2011 GENI Exploring Networks of the Future Now going live across the US! GENI Project Office APAN 32, August 2011 www.geni.net Sponsored by the National Science Foundation Outline GENI Exploring future internets at scale

583 views • 26 slides

Day 2 Lab2: Implement Topics and Partitions 1. Patient monitoring Introduction In the design

Day 2 Lab2: Implement Topics and Partitions 1. Patient monitoring Introduction In the design exercise we asked you to define topics and partitions for a remote patient monitoring system. Every one of you may have created different topics and

398 views • 10 slides

Migrating from Nagios to Prometheus Runtastic Infrastructure Base Virtualization Core DBs

NOV 07, 2019 Migrating from Nagios to Prometheus Runtastic Infrastructure Base Virtualization Core DBs Technologies Linux (Ubuntu) Linux KVM Physical Really a lot open source OpenNebula Hybrid SDN (Cisco) 3600 CPU Cores Big Chef

620 views • 37 slides

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides

EnviroTrack: Middleware system designed for object tracking . An Innovative and Simple

1.Overview 1)What is EnviroTrack: EnviroTrack: Middleware system designed for object tracking . An Innovative and Simple Mideleware 2)Features: System for Object-Tracking Export a novel logical address space in which external

228 views • 5 slides