can languages like RUST (memory safety per default) fix those problems?

complexity = the enemy

why it is important to ALWAYS K.I.S.S

“OpenSSL foundation’s president, Steve Marquess, said “The mystery is not that a few overworked volunteers missed this bug; the mystery is why it hasn’t happened more often.”[184] David A. Wheeler described audits as an excellent way to find vulnerabilities in typical cases, but noted that “OpenSSL uses unnecessarily complex structures, which makes it harder to both humans and machines to review.” (src: Wiki)

“The Heartbleed bug would not have been possible if OpenSSL had been implemented in Rust” (src)

https://www.openssl.org/news/secadv_20140407.txt   OpenSSL Security Advisory [07 Apr 2014]

  • TLS heartbeat read overrun (CVE-2014-0160)
  • A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
  • Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
  • Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl ÄT chromium.org> and Bodo Moeller <bmoeller ÄT acm.org> for preparing the fix.
  • Affected users should upgrade to OpenSSL 1.0.1g.
  • Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.
  • 1.0.2 will be fixed in 1.0.2-beta2.

everyone makes mistakes… the question is: how to deal with our errors? could a test-documentation help there?

Meet Robin Seggelmann, the man who accidentally created Heartbleed

“In one of the new features, unfortunately, I missed validating a variable containing a length.”

test your server/browser: https://www.ssllabs.com/

While much of the world was out celebrating the new year of 2012, Robin Seggelmann was writing late-night code that would lead to the worst disaster in recent Internet history.

Heartbleed, a “catastrophic” security flaw in the OpenSSL cryptographic protocol that has affected two-thirds of the entire Internet’s communications, was committed at 10:59 pm on New Year’s Eve by Seggelmann, a 31-year-old Münster, Germany-based programmer.

That night, he made an error that has been compared to the misspelling of Mississippi, a careless but almost inevitable mistake that went undetected for over two years.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he told the Sydney Morning Herald. “In one of the new features, unfortunately, I missed validating a variable containing a length.”

The man who reviewed his code, Dr. Stephen Henson, managed to miss the error completely as well.

By exploiting that small mistake, an attacker can steal a big slice of data from a computer’s main memory, which can contain usernames, passwords, and content that can endanger much of the Web’s most private content.

In the wake of Edward Snowden’s revelations of massive NSA Internet surveillance, questions quickly popped up, asking if Seggelmann had done this on purpose in an effort to build a backdoor into one of the Internet’s most important security tools.

Seggelman has denied deliberately inserting the flaw, saying it could “be explained pretty easily.” He does, however, know why it’s “tempting” to see the error as intentional. He calls Heartbleed “a simple programming error” that was “not intended at all”—but that it’s absolutely possible that intelligence agencies like the NSA have made use of the vulnerability since it was introduced.

“It is a possibility, and it’s always better to assume the worst than best case in security matters, but since I didn’t know the bug until it was released and [I am] not affiliated with any agency,” Seggelmann said.

A year after writing the catastrophic bug, Seggelmann would finish up his PhD thesis titled “Strategies to Secure End-to-End Communication” at the University of Duisburg-Essen.

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin