Heartbleed, Running the Code - Computerphile
Vložit
- čas přidán 17. 04. 2014
- We look at and run the code that exploits the Heartbleed bug. Dr. Steven Bagley takes us through the code and shows us how it works.
Relevant RFC Document: bit.ly/heartbleed-rfc
Domino Addition: • Domino Addition - Numb...
CZcams's Secret Algorithm: • CZcams's Secret Algor...
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. See the full list of Brady's video projects at: bit.ly/bradychannels
"lets move into the office"
gotta show this b-roll of ducks first
Great video. XKCD has a nice comic briefly explaining what the bug is (great for your non-tech friends), but this video goes just a little further in explaining how it works.
From a programmer's perspective it's astounding that the memcpy part of code was peer reviewed and passed all the checks without anyone thinking "But what if someone sends the length that is greater than the actual payload?". Also whoever wrote that file needs to read up about variable naming. bp, lp, p, etc. Jeez.
Great video though, thanks for uploading!
I'm not like a pro yet but from my experience some complex or more secure apps do have variables named like this. Idk id guess it's security over readability maybe? And I'll say it's always easier to understand a vulnerability after they happen rather than before. Seems so simple to us but who knows what they were thinking. Or maybe the complexity with the variables actually caused the issue lol
@@patrickconrad396 Security by obscurity isn't really security.
It's probably because for people who write this kind of codes, it's kinda obvious.
p = pointer, bp = buffer pointer, pl = payload length
But i also don't like those short namings.
@@mutzikatzi1 Totally agree
Yes. We are never supposed to trust the client
I'm not a programmer but i can see how coding something which essentially completely trusts the data sent by the client to fit a format without validating it is a bad idea...
I found that to be the case in most of the web. Because of this, this is why myspace worms break out. With all websites trusting eachother, you can do SQL Injection and XSS.
You are, indeed, correct. It is always best practice to check if an email field fits the pattern *@*.* or that a password field is at least 6 characters in length or, if you're accessing a database, that your table variable has greater than 0 rows. Not only does it prevent unforeseen error messages, it prevents an exploit such as this.
I as a programmer am deeply baffled how one could make such kind of error - the level of absolute incompetence is just staggering (programmer/s + QA). It is not even hidden under layers of other code! No validation of external data in security critical code!?
Amazing.
You are completely right, but as a programmer I want atleast to explain, how bugs like this can occur:
If you are writing several thousand lines of code, it is rather likely to forget the checking processes for the data at one point or the other. And it's even more likely for something like this to happen, if you are coding protocols. (As network protocols usually need to be as performance-efficient as can be and therefore you try to accomplish your goal in general with as few lines of code as possible.)
This is literally the first lesson we learned in computer science classes beyond the basic "Intro to Programming" course; namely, don't trust the end-user. Assume they are either 1) a complete idiot who won't use the software correctly or 2) a malicious user who will exploit your program if possible. NEVER EVER trust data sent from a user without performing sanity checks and validating it
Fantastic work as always. Nice clear explanation of a fairly important subject.
Make a video about multi-core CPU's and the benefit of 64-bit architectures. I realized that if 8-bit was enough for instruction sets back in the day. So what do we do with the 56 extra bits? Then I realized maybe it's for sending multiple instructions at once per processor core. So yeah, video's about processor architectures.
An excellent look at Heartbleed and the nature of security bugs in-general.
Amazing how this wasn't spotted much earlier
CelmorSmith
I believe it was purposely put in there on the behest of government agency. Its seems like a very obvious mistake. This is first year university level logic mistake. Like a situation where the lecturer makes very elementary flaws in the code and students are given 15 min to correct it. As another poster mentioned that not being someone from a programming background even he could see the inherent logic flaw. That is, trusting data sent WITH OUT VERIFYING IT. This is utterly unheard of in any programming practice.
So this to have escaped professionals designing security... is highly suspect to say the least. I think you have to include more people then we think in to the "bad guys" group unfortunately.
Some of those who run forces are the same who burn crosses ~ RATM
It has been known about for years, as with lots of bugs academics and industry experts are aware of many of these but it simply too costly or not seen as worth fixing unless there is a known or presumed risk. You must remember that the majority of the population are extremely lazy and uneducated in the ways that computers work - and really that is how security is maintained.
Very good explanation! I have seen lots of people try to explain this, and this is by far the easiest to understand for someone unfamiliar with SSL or C
great explanation of heartbleed.
I would really love to see more code reviews here. This is great stuff!
I hope nowadays C programmers have learned to create understandable names to functions and members :|
***** you mean lpfstrHW doesn't tell you anything? ;)
Ip from string ...hardware?
+Felype Rennan Nope.
I agree that Java can't contain C code, but C# allows for unsafe native code, yes, usage of native libraries and there is C++/CLI as well.
And naming conventions, they could name things well in the C standard libraries, like pascal guys used to do, but, they just chose to not.
+CaptainDuckman Hungarian Notation, the idea is that you include the type of every variable in its name. It makes it more obvious if you are using the wrong type.
I had no idea what this was about until 7 minutes in lol
Well explained, Computerphile!
Best video of your channel! Keep them coming!
One of your best videos yet Brady
Tom did a great job of explaining this, I feel. But I guess some people are looking for more detailed stuff. Crazy how bugs like this are still getting through...
Despicable that bugs like this are getting through in the very part of the system designed to be extra secure.
Fantastic video, thanks Dr. Bagley and Computerphile!
beautiful. Thanks. we need more videos from this gentleman
A good explanation of the "heartbeat bug" and why it's so dangerous. I'm surprised that it lasted in the wild so long!
This reminds me thematically of the RSA bug half a year ago... What I still don't understand with the heartbleed bug, though, is why it is necessary to tell the server how long the message is. Can't it determine the length of the message on the basis of the message itself? I mean, C is used for high-precision scientific computations in applied mathematics for decades, but it can't count how many bytes a message has? ò.Ô
Strings don't have a length parameter.
Say the next 6 letters: Badeth haha
Would be the same as
Say this: Badeth
@@natnew32 Yes, and string isn't even a data type in C, they're just an array of characters.
Short answer: No.
Long answer: The computer has no way of telling where an arbitrary sequence ends, unless it uses some sort of terminator value or a predefined size placed in front of the sequence.
clearly there is a way to tell the actual size of the payload since it was needed to apply the patch. the entire issue was caused because the code didn't check if the actual length of the payload matches the integer value provided by the client.
Great explanation of the heartbleed bug!
The best explication about Heart Bleed I've found. Thank you very much!
Another reason to always memset any temporary buffers in memory containing passwords/keys after you're finished using them. This includes local function variables allocated on the stack before you return.
How many processor cycles would it take? When you would do that to every variable in your code.
Best computerphile video to this date
Dr. Bagley's shirts are fly as shit.
Great explanation.. Clears it all up for me.. Thanks
Where was the opening filmed? Its beautiful
That's the University of Nottingham Jubilee Campus, home to their Computer Science building :) >Sean
***** Thanks Brady, I'll have to check out that campus!
+Sean Haggard Looks a lot like York's new place. Very similar to Nott's obviously.
Thanks, very interesting to see an explanation of the code!
Nice video. Great explanation.
This is disturbingly easy. How could have gone unnoticed for such a long time?
Thank you for explaining, very interesting stuff and great video!
that was really informative and excellently explained!
Great video always amazing to see the exploits being exploited in action ;)
Thank you for that explanation. Helped me a lot.
Absolutely loved your explaination.
Thanks for the info :)
Thanks for explaining this. I looked at some of the code to test for the heart-bleed bug but not knowing the server side code meant I was unsure why this happened.
Nice clear explanation and maybe we could have a video on networks and network protocols. By networks I mean like tor etc. and not just here is a star network and here is a bus network etc.
Very nice look at how it works
Learning how Heartbleed makes the server send in random memory contents made me laugh so hard...
great explanation of the the heartbleed bug
Wow, I get it now! Great explanation!
not giving a link to malicious code? PARTY POOPER!
Yes, because searching for the filename on the screen may be too hard, huh?
Searching for the filename is only for hackers, not regular users LOL
The uncompiled code is available on Symantec's, Security Focus website. has been for years. Along with a whole lot more. It's what security research is all about
Even without searching the filename, it wouldn't be too hard to make considering they showed you how to make a heartbeat packet.
I never even heard of this bug before. Funny thing is, I saw he bug before he described it. See, this is why I would be really reluctant to make code that messes around with memory like that in security. It's amazingly easy to mess it up when you don't have type protection. But I guess it's pretty easy to mess up even if you do sometimes.
great explanation, didn't expect it to be that good :)
Interesting. Nice to see why there was so much noise about this online. Part of me wants to face-palm at this, but it's really quite a simple mistake to make.
Brilliant as always.
Thank you for not dumbing it down! :D
i held a architectural speech about this building here in germany! :) nice to see it again this random.
Ooooh! Very nice Ataris in the background! Cool! :D
We're not going to give you the link for the exploit, no but you did tell us about it and now all we need to do is search for it and we will find it in 0.45 seconds.
Very informative! Thanks!
Nice explanation. Well done.
Very good reminder of how important it is to be defensive about your programming, especially in unsafe languages like C!
Comprehensive, this explanation. Thank you
Great explanation!
Should'nt you link to the XKCD explanation? It's ingenious.
Great explanation. Thanks
Very interesting stuff!
Thanks for this! I was wondering how the bug worked
Thanks Steven Bagley.
was waiting for this!!!
The bracket style is making me twitch. Let the holy war commence.
"Heartbleed" sounds like a great title for an anime series.
please provide subtitles.
best content.
Another great video, Where can I get a link to the code that computerphile won't give us , for educational purposes of course
How did this pass testing? Giving a different payload size than the real one is something very basic, it's so weird it sounds intentional.
AWESOME video by the way, thank you!
Really good. Thank you.
I'd love to see the fix - the checks they added 7:15. Or at least what type of things can be done.
checking if the payload is the length specified by the user would suffice.
Sth. like "if(payloadLength == payload.Length)" (but i'm not a C programmer) would be enough if the container has that method. But finding out the Length would be with that Method easier anyway.
Brilliant video, I heard this on the news and wanted to find out how it actually worked
I like the scene with the Ducks.
GREAT video
Tnx, I wanted more detail on this and now I have it.
Super explanation
Great video although I'm still trying to figure out the purpose of the printed code. Just something to give a visual?
not a programmer but, that block of code bout unchecked payload seems easy to understand for a programmer. the exploit was there for long time?
Nothing beats XKCD's explanation.
That's a cool looking area! Where was this shot?
The font is so lovely! Is it comic sans?
if this heartbleed never happened, do you guys change your password every once awhile? like half year or so, most of the people I know they don't change their passowrd, is it necessary to change it once awhile?
Made me chuckle - 'and no, we're not going to give you a link to this one ...' BUT we will show you its file name and tell you it's written in Python - just in case you don't know what .py means as a file extension. :-)
Faked filename, but the spelling mistakes help you zero in on it.
Crazy bug! What gets me the most is how chronically underfunded OpenSSL apparently was. At least people are pitching in now. Hopefully other important open source projects won't have to go through that.
Does this never cause an access violation in the OpenSSL process? I would think eventually it would run out of bounds and crash the server.
Great Video!
great video
Isn't it possible to override the sensitive memory after usage by default? Obviously you will never know if someone reads the systems memory later.
The problem is that languages like C with pointer arithmetic allows procedures shoot past array boundaries and read into other parts of the heap.
Kudos for the Atari ST sitting in the background!
Yesterday I said "I wish computerphile would make a heartbleed video." I didn't think it would happen though!
Tom Scott also did a great one on his own channel.
I assume that the payload is there to let the requester validate the integrity of the reply, but what is the purpose of the padding?
But if you are trying to read beyond your memory, shouldn't the program sigsegfault occasionally?
what was that editor you were using earlier on your mac?
Good video, but I am very interested in that Atari Falcon behind his monitor!
OMG. thats a goldmine
Is that an Atari computer I see in the background? I didn't think anyone else still used those at all...
gezz what took you guys so long.
Why do you need the padding? Aren't that 16 bytes that slow down the protocol and cause cost (processing and network) uselessly every single heartbeat?
That's one beautiful campus
My father was telling me that the company he worked for knew about this bug for several years but they only fixed it now when it was discovered by hackers.
XKCD 1354: explains it REALLY simply...
thank you .. this was interesting
The ASLR lack of *BSD and the weak version in Linux are also, I think, make this attack to be more successfull. If not please correct me.
Not really - ASLR doesn't help you in this instance. Even though the OS gives you memory-pages with "random" starting adresses you still get ~4kb per page. That is, however, much more than a (typical) single variable needs, so you end up storing more than one variable per page. And this again is done sequentially, so the probability of reading actual data via this bug is pretty much the same with or without ASLR ;)
This has nothing to do with it: Address Space Layout Randomization randomizes the loading address of the program and its dynamic libraries, so that it's very difficult (almost impossible) to write shellcode to exploit a vulnerable program.
Hearthbleed doesn't inject shellcode; it just tricks the vulnerable client/server in sending what it has in its writeable memory.
OpenBSD was actually the first mainstream operating system to integrate ASLR and activate it on by default. libc support for ASLR doesn't help with this bug because of OpenSSL's use of an internal malloc.
thankyou - great video :)