Uploaded on


More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Heartbleed Ibrahim M. El-Sayed
  • 2. “Catastrophic is the right word. On the scale of 1 to 10, this is an 11.” --Bruce Shneier
  • 3. What is Heartbleed? O What is Hearbleed? O It is a critical bug in the OpenSSL’s implementation of the TLS/DTLS heartbeat extension that allows attackers to read portions of the affected server’s memory. O What is OpenSSL?! O It is open source software that is used by Apache and Nginx webservers, 66% Market share to do encryption through the Internet O Affected Versions: OpenSSL 1.0.1 and 1.0.2
  • 4. How SSL works?
  • 5. What is Heartbleed O What is Heartbeat ?? 1- Used to keep connection Alive 2- Client Sends data to the Server, server echoes it back 3-Similar to ICMP ping but within HTTP Web Server Running OpenSSL Client Heartbeat “Hello” 6 Heartbeat “Hello” 6
  • 6. HeartBleed Explained Non Technical
  • 7. Heartbleed Explained O Non Technical O Ask for 100-photo box O Seller doesn’t know how to count O Two scenarios O Actual 100-photos O Only 1 photo
  • 8. Heartbleed Explained O Technical: “memcpy(bp, p1, payload);”  Actual BUG :( void * memcpy ( void * destination, const void * source, size_t num ); O The function does not check for any terminating null character in source - it always copies exactly num bytes. O To avoid overflows, the size of the arrays pointed by both the destination and source parameters, shall be at least num bytes, and should not overlap (for overlapping memory blocks, memmove is a safer approach).
  • 9. Heart bleed - explanation 11
  • 10. Heart bleed - explanation 12
  • 11. Heartbleed - Attack
  • 12. Heartbleed Impact O Eavesdrop on encrypted communication O Get access to sensitive data in the memory O Impersonate users and services
  • 13. Heartbleed fix O Server-Side • Quick fix: Disable heartbeats • Real fix: Upgrade OpenSSL • User Actions: • Change your passwords !! • Test Sites yourself
  • 14. Heartbleed - PoC O https://blog.bugcrowd.com/heartbleed- exploit-yet/