Details of the the Cloudbleed bug – Attacks on TLS Implementations
22.8.1 Details of the the Cloudbleed bug
To build a Ragel-based parser, the Ragel code is automatically transformed into C code. The C code is then compiled into an executable. Unfortunately, the generated C code contained a bug shown in Listing 22.5.
Listing 22.5: Cloudbleed bug
/* generated code */
if ( ++p == pe )
goto _test_eof;
The if statement in Listing 22.5 is supposed to check whether the end of the buffer, the address pointed to by pe, is reached. However, because the == operator is used, that if statement evaluates to false in two cases:
- When ++p points to an address less than pe, that is, the end of buffer is not reached yet
- When ++p points to an address larger than pe, that is, when ++p is beyond the end of the buffer
As a result, if, after being incremented, pointer p does not point exactly to address pe, it will be allowed to jump over the buffer end. Interestingly, the bug in the generated C code is actually the result of a programming error in the Ragel description of the parser. That is, the Ragel code that Cloudflare developers wrote contained an error that led to the bug in the generated code.
A second interesting aspect is that the bug was dormant in Cloudflare’s production code for multiple years. However, as long as the old Ragel-based parser was used, the buggy code was never executed. This changed when Cloudflare’s engineers added the new cf-html parser.
22.9 Timing attacks
In the previous two chapters, we learned about attacks on the TLS Handshake and the TLS Record protocols, which use a padding oracle to compromise TLS security guarantees. In most cases, the padding oracle is a by-product of data-dependent timing differences that occur when a TLS implementation processes the received TLS messages.
While these attacks target the TLS Handshake or TLS Record protocol, the underlying reason – namely, the leakage of information about internally processed data – is an implementation issue. In cryptography, attacks that exploit such information are called side channel attacks.
More precisely, side channel attacks exploit unintended information leakage caused by the physical properties of the implementation of a cryptographic algorithm. Using the leaked information, Eve can infer intermediate values processed by the cryptographic algorithm and, based on these values, extract the secret values.