32
Security vulnerabilities Heartbleed & Buffer overflow By Nazar Mota © 2014 GlobalLogic Inc.

Security Vulnerabilities: Heartbleed & Buffer Overflow

Embed Size (px)

DESCRIPTION

This presentation explains the mechanisms of Heartbleed security flaw, which had place worldwide in 2014. It also contains explanations on the reasons of Buffer Overflow, one of the simplest, but also one of the most common vulnerabilities. The presentation will help avoid these problems and guarantee online security. Presentation by Nazar Mota (Developer, GlobalLogic, Lviv), EmbeddedTechTalk, Lviv, 2014. More details - http://www.globallogic.com.ua/press-releases/embedded-lviv-techtalk-2-coverage

Citation preview

Page 1: Security Vulnerabilities: Heartbleed & Buffer Overflow

Security vulnerabilities

Heartbleed & Buffer overflow

By Nazar Mota

© 2014 GlobalLogic Inc.

Page 2: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 3: Security Vulnerabilities: Heartbleed & Buffer Overflow

AgendaØ Heartbleed

Ø Buffer overflow

Ø Q&A

© 2014 GlobalLogic Inc.

Page 4: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Heartbleed

Page 5: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Heartbleed● Is called one of the biggest security threats the Internet has ever seen. ● Described as catastrophic by experts: 'On the scale of 1 to 10, this is an 11'.● Since 1.03.2012(!) - 7.04.2014● Reveal up to 64k of memory to a connected client or server● Allows stealing the information protected, under normal conditions

Page 6: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Impacts

● 1/3 of Internet (According to the Internet security company Netcraft, around 500,000 sites)● Dropbox, Google, Yahoo, Facebook, Istagram, Flickr, Youtube, Github● Online banking, VPN● IP phones, Routers, Medical devices, Smart TV sets, embedded devices and millions of other devices

Page 7: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 8: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 9: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 10: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 11: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 12: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 13: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 14: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 15: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 16: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 17: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 18: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 19: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 20: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 21: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 22: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 23: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 24: Security Vulnerabilities: Heartbleed & Buffer Overflow

Ø Heartbleed

Ø Buffer overflow

Ø Q&A

© 2014 GlobalLogic Inc.

Page 25: Security Vulnerabilities: Heartbleed & Buffer Overflow
Page 26: Security Vulnerabilities: Heartbleed & Buffer Overflow
Page 27: Security Vulnerabilities: Heartbleed & Buffer Overflow
Page 28: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 29: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 30: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

Page 31: Security Vulnerabilities: Heartbleed & Buffer Overflow

© 2014 GlobalLogic Inc.

C – Avoid (no bounds checks): strcpy(), strcat(), sprintf(), scanf()Use safer versions (with bounds checking): strncpy(), strncat(), fgets()Must pass the right buffer size to functions!C++: STL string class handles allocationUnlike compiled languages (C/C++), interpreted ones (Java/C#) enforce type safety, raise exceptions for buffer overflow

Safe String Libraries

Page 32: Security Vulnerabilities: Heartbleed & Buffer Overflow

Thank You

Q & A