Tags: heartbleed | flaw | heartbeat | openssl

Heartbleed Flaw Is a Killer

Image: Heartbleed Flaw Is a Killer
Left: People with accounts on the Healthcare.gov enrollment website are being told to change their passwords because of the Heartbleed security bug. Right: The Heartbleed.org website.

Thursday, 24 Apr 2014 08:07 AM Current | Bio | Archive

There are any number of amusing paradoxes about programming for computers and the Internet. Here’s one of them: It often appears that the smaller the coding error, the bigger the resulting catastrophe.

A colleague of mine was once summoned to a Middle East country to resolve a major computer processing problem. He had to bicker with a customs agent to bring into the country his CD toolbox of code in computer language (the agent feared that the disk might contain pornography).

The problem, as it turned out, was the result of a semicolon missing from the end of a single line of code!

And now the latest member of the hit parade of coding boo-boos is the so-called Heartbleed bug.

About two-thirds of the world’s servers use OpenSSL, an open source security protocol library that powers the so-called "heartbeat extension" for the transport layer security (TLS) protocol. When you run your browser and visit a website that has a URL beginning with “https:”  you’re running OpenSSL.

Heartbeat is able to test and maintain communication links without having to renegotiate the connection each time.

A Ph.D. student at the University of Duisburg-Essen in Germany, Robin Seggelmann, worked on the OpenSSL project during his Ph.D. studies, from 2008 to 2012. In 2011, Seggelmann implemented the heartbeat extension for OpenSSL.

In doing so he made a tiny programming error. As Seggelmann said later to Australia’s Sydney Morning Herald, “I was working on improving OpenSSL and submitted numerous bug fixes and added new features … In one of the new features, unfortunately, I missed validating a variable containing a length.”

The change in OpenSSL was logged on New Year's Eve 2011 and the error was allegedly missed in a review of the code by Stephen N. Henson, one of OpenSSL's four core developers. The flawed code was included in the released version of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat was enabled by default, immediately placing anything running the code in a state of vulnerability.

In other words, it appears that in reading data from the network into a variable, Seggelmann apparently forgot to do a “bounds check” on the string or array that probably served as a data buffer.

In a post at Article.gmane.org, Theo de Raadt, the founder of OpenBSD and OpenSSH, notes that the “malloc” memory allocation library Seggelmann would have used was patched long ago to prevent Heartbleed-type exploitations.

However, de Raadt also mentions that, at the same time, OpenSSL added "a wrapper around malloc & free so that the library will cache memory on its own, and not free it to the protective malloc" which was meant to improve system performance, but which could in certain circumstances (that is, programmer error) place the system in peril.

So, for performance reasons, Seggelmann’s bug was effective because he used the OpenSSL library’s memory manager, which is not subject to the protective aspects of the C language memory functions such as “malloc” (used to allocate a certain amount of memory during a program’s execution), and “free” (a function which returns the memory back to the computer’s operating system when it isn’t needed anymore).

If a program with a bug attempts to read memory locations not part of the original allocation, most implementations of “malloc” and “free” will generate a so-called segmentation fault, or “segfault,” a fault raised by hardware with memory protection, which notifies an operating system about a memory access violation.

If the memory had not been properly returned via the “free” function, it still could have been checked by the “munmap” function (which takes length as a parameter), in which case it would have, in de Raadt’s words, “triggered a 'daemon' crash instead of leaking your keys.”

Thus, for the past 2 1/2 years, hackers could steal information from affected OpenSSL systems in chunks of 64 Kilobytes.

Later, in March, both Google engineer Neel Mehta and a Finnish cybersecurity company named Codenomicon independently discovered the bug. On March 21, 2014, Bodo Moeller and Adam Langley of Google wrote a software patch repairing the bug. The bug was announced by the OpenSSL group on April 7.

OpenSSL is used by servers, clients, routers, phones and other devices found in business, healthcare, mass transit systems, municipal utilities and emergency services.

Everybody and everything that runs OpenSSL must install the patched version and revoke old encryption certificates employed in website authentication. Smaller providers and businesses may not patch OpenSSL in a timely manner, so the paranoid among us will be changing all of our passwords on every site and service that relies on OpenSSL, which is just about everything.

Have a nice day.

Richard Grigonis is an internationally known technology editor and writer. He was executive editor of Technology Management Corporation’s IP Communications Group of magazines from 2006 to 2009. The author of five books on computers and telecom, including the highly influential Computer Telephony Encyclopedia (2000), he was the chief technical editor of Harry Newton's Computer Telephony magazine (later retitled Communications Convergence after its acquisition by Miller Freeman/CMP Media) from its first year of operation in 1994 until 2003. Read more reports from Richard Grigonis — Click Here Now.

© 2017 Newsmax. All rights reserved.

1Like our page
The Heartbleed bug requires everyone to redo passwords.
heartbleed, flaw, heartbeat, openssl
Thursday, 24 Apr 2014 08:07 AM
Newsmax Inc.

Newsmax, Moneynews, Newsmax Health, and Independent. American. are registered trademarks of Newsmax Media, Inc. Newsmax TV, and Newsmax World are trademarks of Newsmax Media, Inc.

America's News Page
© Newsmax Media, Inc.
All Rights Reserved