THE YEAR IN

WEB SECURITY

Billy Conn

Sr Architect, EdgeTheory

HEARTBLEED

April 2014

 

A bug in OpenSSL's implementation of TLS hearbeat

Who it affected

  • Gmail
  • Akamai
  • AWS
  • GitHub
  • Stripe
  • Wikipedia
  • Reddit
  • Yahoo​​

1% of sites still vulnerable as of Nov 1

What it affected

Both servers and clients were vulnerable

  • McAfee
  • Cisco
  • Steam
  • LastPass

1) Send 5 bytes: "ABCDE"

2) Server responds with "ABCDE"

1) If you're still there, send me these 65535 bytes back: "ABCDE"

The server never checks that you're not requesting more back than you sent!

2) Server responds with "ABCDE ... Hunter2" - 64k of potentially decrypted bytes

TLS Heartbeat

The Heartbleed Bug

hbtype = *p++;
n2s(p, payload);
pl = p;

…

*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
memcpy(bp, pl, payload);

Causes

  1. Hard-to-maintain code
  2. Lack of testing

Takeaways

  1. Readability matters
  2. Testing matters
  3. Every feature has a cost
  4. Patch
  5. NEVER TRUST USER INPUT

SHELLSHOCK

Introduced Sep, 1989

Disclosed Sep, 2014

different vulnerabilities

Who it affected

Tools

  1. CGI/FastCGI-based web applications

  2. OpenSSH

  3. DHCP

  4. CUPS

  5. Oracle products

  6. Cisco products

"I don't use bash"

  1. /bin/sh emulation
  2. busybox
  3. "system"

Unknown number of machines still affected

Causes

  1. Rarely used feature
  2. Poorly thought-out implementation
  3. Ignored "best practices"
  4. Lack of documentation

Takeaways

  1. Readability matters
  2. Testing matters
  3. Every feature has a cost
  4. Patch
  5. NEVER TRUST USER INPUT

Heartbleed
vs.
Shellshock

Heartbleed

  • Impossible to detect initial usage
  • Once vulnerability is closed no further technical consequences.

Shellshock

  • Hard to detect initial usage
  • Very hard to ensure no ongoing consequences

  • Machine can be compromised indefinitely without symptoms.

DETECTION

Heartbleed

  • Easy to resolve:

    1. Upgrade OpenSSL
    2. Reissue
    3. Restart

Shellshock

  • Hard to resolve:
    1. Upgrade Bash
    2. Hope your server hasn't been compromised
  • OR
    1. Wipe Server

RESOLUTION

Heartbleed

  • Small number of individual attack vectors

  • Widely deployed and easy to attack

Shellshock

  • Large number of attack vectors

  • Varying degrees of difficulty to attack and varying levels of deployment

ATTACK VECTORS

  1. Readability matters
  2. Testing matters
  3. Every feature has a cost
  4. Patch
  5. NEVER TRUST USER INPUT

Heartbleed

Shellshock

TAKEAWAYS

SECURITY: 

When you do it right, everyone feels like you're just wasting time.

 

When you do it wrong, every problem is your fault.

Made with Slides.com