The bugfix – Attacks on TLS Implementations

10/02/202110/02/2021| Vera NeelThe bugfix – Attacks on TLS Implementations| 0 Comment| 04:38
Categories :

22.4.3 The bugfix

The bugfix for the Heartbleed bug is shown in Listing 22.3. It is a simple bounds check using the actual TLS record length in the s3-¿rrec data structure.

Listing 22.3: The Heartbleed bugfix

   hbtype = *p++;
   n2s(p, payload);
   if (1 + 2 + payload + 16 > s->s3->rrec.length)
       return 0; /* silently discard per RFC 6520 sec.
4 */
   pl = p;

The s3->rrec.length variable contains the actual record length, while payload is the payload length provided in the Heartbeat request. If the term 1 + 2 + payload + 16 is larger than s3-¿rrec.length, Alice knows immediately that this Heartbeat message contains a wrong payload variable and, therefore, is likely manipulated. In that case, the dtls1˙process˙heartbeat function silently terminates as specified in RFC 6520.

22.5 Insecure encryption activation

Systems that use older plaintext protocols require backward compatibility. In this case, Alice and Bob start the communication without encryption and must explicitly upgrade it to use TLS. As an example, if they use Simple Mail Transfer Protocol (SMTP), published by American computer scientists Jon Postel and Suzanne Sluizer in 1981 (RFC 788), they have to use the STARTTLS command to start a TLS session.

The need to explicitly activate secure communication creates additional attack vectors if application code running on Alice’s or Bob’s machine contains implementation flaws – not programming bugs, but logical mistakes in the implementation affecting its security [150].

One such flaw is missing STARTTLS enforcement. When a legacy protocol can be used without encryption, Bob’s software is responsible for enforcing the desired security level. A common flaw in such software is to request encryption but proceed without it if Alice doesn’t offer it. As a result, Mallory can intercept the plaintext messages transmitted between Alice and Bob and simply remove the STARTTLS message to make sure that Alice and Bob continue their communication in plaintext.

Another such flaw is the buffering of insecure plaintext. If Bob’s software does not reset the protocol state after the encryption starts, Mallory can manipulate messages she would otherwise have no access to. In particular, she can inject payload into plaintext messages that will be processed after the encryption is activated, tricking Alice and Bob into believing they are processing messages secured by TLS while these messages actually contain Mallory’s payload.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Triple Handshake attack 2 – Attacks on the TLS Handshake Protocol

09/02/202409/02/2024 Vera NeelTriple Handshake attack 2 – Attacks on the TLS Handshake Protocol
Before the third handshake, server Alice has to require a session renegotiation, including client authentication, [...]
Read MoreRead More

he Heartbleed bug – Attacks on TLS Implementations

11/12/202111/12/2021 Vera Neelhe Heartbleed bug – Attacks on TLS Implementations
22.4.2 The Heartbleed bug Heartbleed is the result of improper input validation – more precisely, [...]
Read MoreRead More

POODLE – Attacks on the TLS Record Protocol

12/12/202312/12/2023 Vera NeelPOODLE – Attacks on the TLS Record Protocol
21.2 POODLE POODLE stands for Padding Oracle On Downgraded Legacy Encryption and was discovered in [...]
Read MoreRead More