This document describes Ofer Rivlin's career path in cybersecurity and his involvement in discovering vulnerabilities. It details his role in identifying the OpenSSL Heartbleed vulnerability in 2014 and describes how it worked. It also outlines the Ticketbleed vulnerability he discovered in 2017 affecting F5 BIG-IP load balancers, which could leak up to 31 bytes of memory and potentially expose secret session keys. The document emphasizes lessons learned around the importance of security reviews, testing, and following standards and best practices in development and product security.
12. 12
OpenSSL Heartbeat
Client
Message
Create Message
1
Message
Encrypt the
Message
2
Message
Decrypt the
Message
3
Response
Includes the
client message
Create Response
4
Response
Encrypt the
Message
5
Compare Response
with sent Message
6
Server
7
Response
Decrypt the
Response
19. 19
OpenSSL Heartbeat
Client
Message
Create Message
1
Message
Encrypt the
Message
2
Message
Decrypt the
Message
3
Response
Includes the
client message
Create Response
4
Response
Encrypt the
Message
5
Compare Response
with sent Message
6
Server
7
Response
Decrypt the
Response
21. 21
char *message-payload
int payload-length
Message Struct
Prepare the Response with the Client message
Client Server
char *pl
int payload
// pointer to the payload (message data)
// the length of the payload
22. 22
char *message-payload
int payload-length
Message Struct
Prepare the Response with the Client message
Client Server
char *pl
int payload
buffer = malloc(payload)
// allocate memory as the payload length
// pointer to the payload (message data)
// the length of the payload
23. 23
char *message-payload
int payload-length
Message Struct
HAT
3
Prepare the Response with the Client message
Client Server
char *pl
int payload
buffer = malloc(payload)
memcpy(buffer, pl, payload)
// allocate memory as the payload length
// copy the payload into the new allocated memory
// pointer to the payload (message data)
// the length of the payload
3H
24. 24
char *message-payload
int payload-length
Message Struct
HAT
3
Prepare the Response with the Client message
Client Server
char *pl
int payload
buffer = malloc(payload)
memcpy(buffer, pl, payload)
// allocate memory as the payload length
// copy the payload into the new allocated memory
// pointer to the payload (message data)
// the length of the payload
3H
25. 25
Prepare the Response with the Client message
Eve Server
char *pl
int payload
buffer = malloc(payload)
memcpy(buffer, pl, payload)
// allocate memory as the payload length
// copy the payload into the new allocated memory
// pointer to the payload (message data)
// the length of the payload
char *message-payload
int payload-length
Message Struct
HAT
500
Give me all your
secrets !
500H
31. 32
Worst case scenario !
Cloudfalre had set up a nginx server with a vulnerable version of OpenSSL
and challenged the community to steal its private key
42. 43
Hello &
Session ID
use session key
Done
Okay
Done
Encrypted communication using session key
Check if Session
IDs are equal
Session ID
use session key
Done
Check if Session
ID is okay
ID=e7
ID=e7
ID=e7
ID=e7
Resume TLS
Session
ID
Session
Key
e7 e5 a8 79
dd 33 a2 d4
Session
ID
Session
Key
e7 e5 a8 79
43. 44
Hello &
Session ID
use session key
Done
Okay
Done
Encrypted communication using session key
Check if Session
IDs are equal
Session ID
use session key
Done
Check if Session
ID is okay
ID=a5
ID=a5ID=a5
ID=a5
Resume TLS
With Ticket
Session Key
Encrypted
STEK
Client generated!
session ticket
encryption key
48. 49
Hello &
Session ID
Check if Session
IDs are equal
Session ID
use session key
Done
Check if Session
ID is okay
ID=e2
ID=e2ID=e2
ID=e2
Encrypted
Client generated ID!
Resume TLS
With Ticket
STEKSession Key
session ticket
encryption key
62. 63
if ( ++p pe )
goto eof_handler;
==
/* end of a buffer (file)? */
/* p = current character */
/* pe = character at end of buffer (file) */
63. 64
if ( ++p pe )
goto eof_handler;
==>=
Pointer may jump past the end of the buffer buffer overrun
/* end of a buffer (file)? */
/* p = current character */
/* pe = character at end of buffer (file) */
64. 65
<script>
<script#
Read text until end-of-tag character
If found '>'
great!
parse this tag
--p;
goto check-if-eof
If found unexpected char
log "error"
goto check-if-eof
check-if-eof:
if ( ++p == pe )
stop
>
pe
pe
#
*p - current character
*pe - character at end
of buffer
(eof in this case)
Memory
eof
65. 66
pe
<script>
Read text until end-of-tag character
If found '>'
great!
parse this tag
--p;
goto check-if-eof
If found unexpected char
log "error"
goto check-if-eof
check-if-eof:
if ( ++p == pe )
stop
*p - current character
*pe - character at end
of buffer
(eof in this case)
Memory
eof
66. 67
Memory<script#
Read text until end-of-tag character
If found '>'
great!
parse this tag
--p;
goto check-if-eof
If found unexpected char
log "error"
goto check-if-eof
check-if-eof:
if ( ++p == pe )
stop
pe
*p - current character
*pe - character at end
of buffer
(eof in this case)
Continue…
?
X
eof
67. 68
<script#
Read text until end-of-tag character
If found '>'
great!
parse this tag
--p;
goto check-if-eof
If found unexpected char
log "error“
--p;
goto check-if-eof
check-if-eof:
if ( ++p >= pe )
stop
*p - current character
*pe - character at end
of buffer
(eof in this case)
Memory
eof
A talk about certain type of vulnerabilities: the bleed type that enables servers memory to leak
This is also an example for how such presentations can be used within the dev org to increase awareness and explain best practices to the dev teams.
Far in the past I was an AI(Artificial Intelligence) developer in a few gaming startups in Israel and then in Canada.
Joined SAP back in Israel as a development architect where I started my security career as security researcher and a security architect.
In parallel to that I was also a lead developer in an open source project.
Today I am leading the product security at Cyberark.
I want to take you to England.
The year is 2011
It is New Year's Eve, and 2012 just minutes away
Stephen Henson receives an update code for OpenSSL by Robin Seggelmann.
Robin Seggelmann is a respected academic who's an expert in communication and encryption protocols.
Stephen Henson, co-founder of OpneSSL and its lead developer till today.
Almost midnight and everyone are partying outside.
Stephen Henson reviews the code and submits it.
Moving forward in time, about 2.5 years later
Neel Mehta of Google's security team
considered by many experts to be the worst security bug ever.
OpenSSL is one of the internet infrastructure projects and is critical to the functioning of the Internet.
(and is the first project to be funded by
"Core Infrastructure Initiative" which was initiated due to HB and is sponsored by many companies).
Configurable – run every second or a few minutes
Client: “I am sending you a payload ‘bird’ with 4 letters”
Server returns ‘bird’ with 4 letters
Client: “I am sending you a payload ‘hat’ with 500 letters”.
Server returns ‘hat’ with 500 letters.
The 497 other characters are memory secrets.
OpenSSL servers handle connection secrets.
Yahoo server on April 8, 2014, a day after the disclosure, exposed to HB
I am using the original parameter names – very confusing names
Payload-length is completely controlled by the user while there is no check on its value on the server
Eve the evil gets the server’s memory
Linux target machine running nginx ("engine-x") server with the vulnerable OpenSSL version.
TLS 1.2 with the best certificate.
A user (victim) fills a form with sensitive data and sends that info to the vulnerable server
The attacker identifies the machine that is vulnerable to Heartbleed using Nmap (with the ssl-heartbleed script).
The attacker manages to get a dump of 64K of memory including this user’s sensitive data using a Python script that exploits the Heartbleed vulnerability
But it gets worse.
What can be worse than sending secrets to the client
The challenge opened 2 days after the vuln was published
Within a few hours, 2 people managed to download the private key from remote.
About 70% of all servers on the internet were exposed to HB (Google, Yahoo, FB, banks, etc.).
Did all of our information was compromised?
And it gets even worse still.
What can be worse than what we saw so far?
About 70% of all servers on the internet were exposed to HB (Google, Yahoo, FB, banks, etc.).
Did all of our information was compromised?
We can’t know what was compromised.
About 70% of all servers on the internet were exposed to HB (Google, Yahoo, FB, banks, etc.).
Did all of our information was compromised?
The reviewer has to reject such code.
Hard to read code blocks the reviewer from seeing vulnerabilities.
Audit and syslog that can be connected with alarm systems
Fillipo Valsorda from Cloudflare
Tickets: Server doesn’t cache session info
session key is encrypted using a server’s key (STEK – session ticket encryption key, that should be rotated often)
Not enable “Perfect Forward Secrecy” (because all previous tickets can be decrypted if STEK is compromised)
Because there is no use of Diffie-Hellman.
This is fixed in TLS 1.3 by implementing changes in the TLS protocol
Cloudflare: CDN - Content delivery network
Speeding the delivery of content of websites with high traffic or global reach (cached and compressed content).
CDNs also provide protection from large surges in traffic and can provide other security services.
Every Resume-TLS have failed
Out of sync
Don’t follow the communication protocol
F5 BIG-IP products family
9 days later
Cloudflare: CDN - Content delivery network
Speeding the delivery of content of websites with high traffic or global reach (cached and compressed content).
CDNs also provide protection from large surges in traffic and can provide other security services.