Heartache and Heartbleed - 31c3
-
Upload
nick-sullivan -
Category
Technology
-
view
992 -
download
1
Transcript of Heartache and Heartbleed - 31c3
![Page 1: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/1.jpg)
Heartache and HeartbleedAn inside look at the aftermath of Heartbleed
31c3
Nick Sullivan @grittygrease
![Page 2: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/2.jpg)
CloudFlare Reverse Proxy
2
![Page 3: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/3.jpg)
CloudFlare’s Global Network
3
![Page 4: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/4.jpg)
Application Layer• DNS (TCP & UDP port 53)
• HTTP (TCP port 80)
• HTTPS (TCP port 443) - powered by OpenSSL
• Every machine can serve every site
4
![Page 5: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/5.jpg)
Customers
5
![Page 6: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/6.jpg)
Customers
6
![Page 7: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/7.jpg)
It started with a tweet?
7
- Russell Brandom (The Verge)
![Page 8: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/8.jpg)
More like• Do you use TLS heartbeats?
• What is a TLS heartbeat again?
• They’re stupid, you probably don’t need them. Consider turning them off.
• Ok, I’ll compile OpenSSL with -DOPENSSL_NO_HEARTBEATS
8
![Page 9: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/9.jpg)
Then it happened• April 7, 10:27 PDT — OpenSSL publishes advisory
• OpenSSL notification hit #1 on Hacker News
• CloudFlare releases standard “Customer sites are patched” blog post
9
![Page 10: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/10.jpg)
Then it REALLY happened
10
![Page 11: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/11.jpg)
11
HEARTBLEED
![Page 12: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/12.jpg)
Mass-media• Codenomicon launches heartbleed.com with logo
• Heartbleed hits the mainstream press
• #heartbleedvirus trending on Twitter
• My mom calls me
12
![Page 13: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/13.jpg)
Things to do
13
![Page 14: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/14.jpg)
Heartbleed Scanner
14
• Filippo Valsorda’s tool in Go
• Sends a benign heartbeat (~100 bytes)
• Hosted on AWS
![Page 15: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/15.jpg)
15
April 8th (requests/minute)
![Page 16: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/16.jpg)
16
April 8th to April 21
![Page 17: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/17.jpg)
17
203,190,914 testsTotal:
in the first 14 days
![Page 18: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/18.jpg)
% of hosts vulnerable
![Page 19: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/19.jpg)
Meanwhile, at CloudFlare…• Log every heartbeat with a
mismatched length
• Don’t look at data until 31c3
19
![Page 20: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/20.jpg)
Logs from April 9th
20
Malformed Heartbeats Message Size
69% 16384
20% 121
2% 0
8% All other
ssltest.py?
filippo.io
![Page 21: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/21.jpg)
Logs from April 14-16
21
Malformed Heartbeats Message Size
66% 16384
22% 69-131
5% 0
7% All other
ssltest.py?
filippo.ioIP range
1% of all scans
![Page 22: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/22.jpg)
Logs from April 14-16
22
ssltest.py
filippo.ioIP range
![Page 23: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/23.jpg)
Why is Heartbleed so dangerous?
23
• One request gets attacker server data
• Typically not logged — doesn’t leave a trace
• 1.5 million CloudFlare sites share memory
• Login session cookies
• SSL/TLS private keys(???)
![Page 24: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/24.jpg)
24
![Page 25: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/25.jpg)
What does the code say?
25
• Key allocated when process starts
• Copies of keys made at computation time
• OpenSSL bignum library clears allocated memory
• So on a single-threaded server, keys should be safe, right?
![Page 26: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/26.jpg)
The CloudFlare Heartbleed challenge• Let’s crowdsource an answer!
• Standard nginx on digital ocean with vulnerable OpenSSL
• Proof of private key by signing individualized message
26
![Page 27: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/27.jpg)
27
Trolling
![Page 28: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/28.jpg)
Challenge Solved
28
![Page 29: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/29.jpg)
29
![Page 30: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/30.jpg)
Challenge Solved
30
1. Fedor Indutny (@indutny) Developer
2. Ilkka Mattila, Information Security Adviser
3. Rubin Xu (@xurubin), Security PhD Student
4. Ben Murphy (@benmmurphy), Security Researcher
5. Steve Hunter (@nonaxiomatic)
6. Xavier Martin (@xav), Security Researcher
7. no name given
8. Jeremi Gosney (@jmgosney), CEO, Stricture Group
9. Michele Guerini Rocco (@Rnhmjoj), Student
10.David Gervais (@davidgervais), Software Engineer
11.Christian Bürgi (@buergich)
12.Daniel Burkard (@hiptomcat)
![Page 31: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/31.jpg)
• Results: solved in under 10 hours
• Private keys are vulnerable
31
![Page 32: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/32.jpg)
How it was solved• Part of the the private key was on the heap. But why?
• There was a second bug in OpenSSL
32
![Page 33: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/33.jpg)
Second OpenSSL bug
33
• Computation uses temporary variables
• Private key can be derived from them
• Some temporary variables were not wiped
![Page 34: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/34.jpg)
Cleaning up the mess
34
![Page 35: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/35.jpg)
How it was solved - RSA basics• Two prime numbers P & Q
• Public key, including P x Q
• Finding P or Q can get you the private key
35
![Page 36: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/36.jpg)
How it was solved• Take every 128byte block
• Attempt to divide into public RSA key
• Coppersmith’s attack (only requires partial prime factor)
36
![Page 37: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/37.jpg)
37“Revocation”
![Page 38: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/38.jpg)
Revoking 100,000 SSL certificates in 24 hours
38
![Page 39: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/39.jpg)
Revoking 100,000 SSL certificates in 24 hours
39
![Page 40: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/40.jpg)
How revocation works
CRL OCSP
CRLSets40
![Page 41: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/41.jpg)
How revocation works
CRL OCSP
CRLSets41
![Page 42: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/42.jpg)
Revoking 100,000 SSL certificates in 24 hours• GlobalSign CRL grew from 22KB to 4.7MB
• 30Gbps + 100Gbps waves every three hours
42
![Page 43: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/43.jpg)
How revocation works
CRL OCSP
CRLSets43
![Page 44: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/44.jpg)
OCSP is broken• OCSP hard fail breaks captive portals
• Soft fail can be circumvented via network manipulation
• Chrome does not check OCSP
44
![Page 45: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/45.jpg)
How revocation works
CRL OCSP
CRLSets45
![Page 46: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/46.jpg)
CRLSets are broken• Single vendor control
• Only EV certs
• Updates when browser is updated
• None of 100,000+ certs were in CRLSets
• cloudflarechallenge.com was added manually
46
![Page 47: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/47.jpg)
Most efficient revocation code everChromium Issue 267913003
47
![Page 48: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/48.jpg)
How revocation works
CRL OCSP
CRLSets48
![Page 49: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/49.jpg)
Revocation solutions• Shorter certificate expiration periods?
• OCSP Must-staple?
• Certificate Transparency?
49
![Page 50: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/50.jpg)
Things we did
50
![Page 51: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/51.jpg)
Conclusions• Disclosure in open source are hard
• Many “attacks” were scans
• Crowdsourcing was effective
• Revocation needs a solution
51
![Page 52: Heartache and Heartbleed - 31c3](https://reader033.fdocuments.in/reader033/viewer/2022042706/58a9977d1a28abc2518b51f7/html5/thumbnails/52.jpg)
Heartache and HeartbleedAn inside look at the aftermath of Heartbleed