Heartbleed, Running the Code - Computerphile

Подписаться 2,4 млн

Просмотров 460 тыс.

50% 1

We look at and run the code that exploits the Heartbleed bug. Dr. Steven Bagley takes us through the code and shows us how it works.
Relevant RFC Document: bit.ly/heartbleed-rfc
Domino Addition: • Domino Addition - Numb...
RU-vid's Secret Algorithm: • RU-vid's Secret Algor...
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. See the full list of Brady's video projects at: bit.ly/bradychannels

Опубликовано:

17 апр 2014

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 387

@LittleVolii 4 года назад

"lets move into the office" gotta show this b-roll of ducks first

@jochemvanl 10 лет назад

Great video. XKCD has a nice comic briefly explaining what the bug is (great for your non-tech friends), but this video goes just a little further in explaining how it works.

@cypher9000 3 года назад

From a programmer's perspective it's astounding that the memcpy part of code was peer reviewed and passed all the checks without anyone thinking "But what if someone sends the length that is greater than the actual payload?". Also whoever wrote that file needs to read up about variable naming. bp, lp, p, etc. Jeez. Great video though, thanks for uploading!

@patrickconrad396 Год назад

I'm not like a pro yet but from my experience some complex or more secure apps do have variables named like this. Idk id guess it's security over readability maybe? And I'll say it's always easier to understand a vulnerability after they happen rather than before. Seems so simple to us but who knows what they were thinking. Or maybe the complexity with the variables actually caused the issue lol

@mutzikatzi1 Год назад

@@patrickconrad396 Security by obscurity isn't really security. It's probably because for people who write this kind of codes, it's kinda obvious. p = pointer, bp = buffer pointer, pl = payload length But i also don't like those short namings.

@joseguillermo1790 Год назад

@@mutzikatzi1 Totally agree

@raglandasir6885 Год назад

Yes. We are never supposed to trust the client

@Doc_Fartens 10 лет назад

Fantastic work as always. Nice clear explanation of a fairly important subject.

@thesecondislander 10 лет назад

I'm not a programmer but i can see how coding something which essentially completely trusts the data sent by the client to fit a format without validating it is a bad idea...

@ZweiSpeedruns 10 лет назад

I found that to be the case in most of the web. Because of this, this is why myspace worms break out. With all websites trusting eachother, you can do SQL Injection and XSS.

@atheistpariah 10 лет назад

You are, indeed, correct. It is always best practice to check if an email field fits the pattern *@*.* or that a password field is at least 6 characters in length or, if you're accessing a database, that your table variable has greater than 0 rows. Not only does it prevent unforeseen error messages, it prevents an exploit such as this.

@googlepask7551 10 лет назад

I as a programmer am deeply baffled how one could make such kind of error - the level of absolute incompetence is just staggering (programmer/s + QA). It is not even hidden under layers of other code! No validation of external data in security critical code!? Amazing.

@Celrador 10 лет назад

You are completely right, but as a programmer I want atleast to explain, how bugs like this can occur: If you are writing several thousand lines of code, it is rather likely to forget the checking processes for the data at one point or the other. And it's even more likely for something like this to happen, if you are coding protocols. (As network protocols usually need to be as performance-efficient as can be and therefore you try to accomplish your goal in general with as few lines of code as possible.)

@compscijedi 10 лет назад

This is literally the first lesson we learned in computer science classes beyond the basic "Intro to Programming" course; namely, don't trust the end-user. Assume they are either 1) a complete idiot who won't use the software correctly or 2) a malicious user who will exploit your program if possible. NEVER EVER trust data sent from a user without performing sanity checks and validating it

@publicsafetydan 10 лет назад

Very good explanation! I have seen lots of people try to explain this, and this is by far the easiest to understand for someone unfamiliar with SSL or C

@goeiecool9999 10 лет назад

Make a video about multi-core CPU's and the benefit of 64-bit architectures. I realized that if 8-bit was enough for instruction sets back in the day. So what do we do with the 56 extra bits? Then I realized maybe it's for sending multiple instructions at once per processor core. So yeah, video's about processor architectures.

@agbook2007 10 лет назад

Well explained, Computerphile! Best video of your channel! Keep them coming!

@AndersEvenrud 10 лет назад

I would really love to see more code reviews here. This is great stuff!

@ScottLahteine 10 лет назад

An excellent look at Heartbleed and the nature of security bugs in-general.

@valkin07 10 лет назад

One of your best videos yet Brady

@luisgbm 10 лет назад

Fantastic video, thanks Dr. Bagley and Computerphile!

@figloalds 9 лет назад

I hope nowadays C programmers have learned to create understandable names to functions and members :|

@jwenting 8 лет назад

***** you mean lpfstrHW doesn't tell you anything? ;)

@murch2 8 лет назад

Ip from string ...hardware?

@sk8rkid135 8 лет назад

+Felype Rennan Nope.

@figloalds 8 лет назад

I agree that Java can't contain C code, but C# allows for unsafe native code, yes, usage of native libraries and there is C++/CLI as well. And naming conventions, they could name things well in the C standard libraries, like pascal guys used to do, but, they just chose to not.

@samstromsw 8 лет назад

+CaptainDuckman Hungarian Notation, the idea is that you include the type of every variable in its name. It makes it more obvious if you are using the wrong type.

@FahadAyaz 10 лет назад

A good explanation of the "heartbeat bug" and why it's so dangerous. I'm surprised that it lasted in the wild so long!

@StrikevonNice 10 лет назад

Thanks for explaining this. I looked at some of the code to test for the heart-bleed bug but not knowing the server side code meant I was unsure why this happened. Nice clear explanation and maybe we could have a video on networks and network protocols. By networks I mean like tor etc. and not just here is a star network and here is a bus network etc.

@subbuktek 10 лет назад

beautiful. Thanks. we need more videos from this gentleman

@h3r3t1c 10 лет назад

Great explanation of the heartbleed bug!

@kevinnio 10 лет назад

The best explication about Heart Bleed I've found. Thank you very much!

@shtfgear 10 лет назад

great explanation of heartbleed.

@SanyaIVLitvyak 10 лет назад

Thanks, very interesting to see an explanation of the code!

@Borednesss 10 лет назад

I had no idea what this was about until 7 minutes in lol

@ThomasGiles 10 лет назад

Tom did a great job of explaining this, I feel. But I guess some people are looking for more detailed stuff. Crazy how bugs like this are still getting through...

@matbroomfield 10 лет назад

Despicable that bugs like this are getting through in the very part of the system designed to be extra secure.

@Artifactorfiction 10 лет назад

Amazing how this wasn't spotted much earlier

@ghostandgoblins 10 лет назад

CelmorSmith I believe it was purposely put in there on the behest of government agency. Its seems like a very obvious mistake. This is first year university level logic mistake. Like a situation where the lecturer makes very elementary flaws in the code and students are given 15 min to correct it. As another poster mentioned that not being someone from a programming background even he could see the inherent logic flaw. That is, trusting data sent WITH OUT VERIFYING IT. This is utterly unheard of in any programming practice. So this to have escaped professionals designing security... is highly suspect to say the least. I think you have to include more people then we think in to the "bad guys" group unfortunately. Some of those who run forces are the same who burn crosses ~ RATM

@rlamacraft 10 лет назад

It has been known about for years, as with lots of bugs academics and industry experts are aware of many of these but it simply too costly or not seen as worth fixing unless there is a known or presumed risk. You must remember that the majority of the population are extremely lazy and uneducated in the ways that computers work - and really that is how security is maintained.

@melkon2103 10 лет назад

Great video always amazing to see the exploits being exploited in action ;)

@haarmegiddo 10 лет назад

Best computerphile video to this date

@jirkav 10 лет назад

Thank you for explaining, very interesting stuff and great video!

@PvtHaggard 10 лет назад

Great explanation.. Clears it all up for me.. Thanks

@whiterottenrabbit 10 лет назад

This reminds me thematically of the RSA bug half a year ago... What I still don't understand with the heartbleed bug, though, is why it is necessary to tell the server how long the message is. Can't it determine the length of the message on the basis of the message itself? I mean, C is used for high-precision scientific computations in applied mathematics for decades, but it can't count how many bytes a message has? ò.Ô

@natnew32 5 лет назад

Strings don't have a length parameter.

@masonhunter2748 3 года назад

Say the next 6 letters: Badeth haha Would be the same as Say this: Badeth

@karlosdaniel6537 2 года назад

@@natnew32 Yes, and string isn't even a data type in C, they're just an array of characters.

@williamdrum9899 2 года назад

Short answer: No. Long answer: The computer has no way of telling where an arbitrary sequence ends, unless it uses some sort of terminator value or a predefined size placed in front of the sequence.

@cantinasongband 2 года назад

clearly there is a way to tell the actual size of the payload since it was needed to apply the patch. the entire issue was caused because the code didn't check if the actual length of the payload matches the integer value provided by the client.

@SamuraiGuevara 10 лет назад

that was really informative and excellently explained!

@coopergore2884 8 лет назад

Dr. Bagley's shirts are fly as shit.

@LeviG 10 лет назад

Nice video. Great explanation.

@DFX2KX 10 лет назад

Interesting. Nice to see why there was so much noise about this online. Part of me wants to face-palm at this, but it's really quite a simple mistake to make.

@weemist 10 лет назад

This is disturbingly easy. How could have gone unnoticed for such a long time?

@KilloZapit 10 лет назад

I never even heard of this bug before. Funny thing is, I saw he bug before he described it. See, this is why I would be really reluctant to make code that messes around with memory like that in security. It's amazingly easy to mess it up when you don't have type protection. But I guess it's pretty easy to mess up even if you do sometimes.

@unfa00 3 года назад

Learning how Heartbleed makes the server send in random memory contents made me laugh so hard...

@LdaHashZero 8 лет назад

Another reason to always memset any temporary buffers in memory containing passwords/keys after you're finished using them. This includes local function variables allocated on the stack before you return.

@cjxordi 6 лет назад

How many processor cycles would it take? When you would do that to every variable in your code.

@nija323 10 лет назад

great explanation of the the heartbleed bug

@user-xj9kx8wq1r 4 месяца назад

Thank you for that explanation. Helped me a lot.

@OmegaCraftable 10 лет назад

Thanks for the info :)

@TheBertjeT 10 лет назад

Wow, I get it now! Great explanation!

@AntivirusRatings 10 лет назад

Absolutely loved your explaination.

@frostfang83 10 лет назад

Very nice look at how it works

@henrikwannheden7114 10 лет назад

Ooooh! Very nice Ataris in the background! Cool! :D

@sean3533 10 лет назад

Where was the opening filmed? Its beautiful

@Computerphile 10 лет назад

That's the University of Nottingham Jubilee Campus, home to their Computer Science building :) >Sean

@sean3533 10 лет назад

***** Thanks Brady, I'll have to check out that campus!

@peeedurr 8 лет назад

+Sean Haggard Looks a lot like York's new place. Very similar to Nott's obviously.

@dasten123 10 лет назад

great explanation, didn't expect it to be that good :)

@DrenImeraj 10 лет назад

How did this pass testing? Giving a different payload size than the real one is something very basic, it's so weird it sounds intentional. AWESOME video by the way, thank you!

@AV1461 10 лет назад

Really good. Thank you. I'd love to see the fix - the checks they added 7:15. Or at least what type of things can be done.

@CelmorSmith 10 лет назад

checking if the payload is the length specified by the user would suffice. Sth. like "if(payloadLength == payload.Length)" (but i'm not a C programmer) would be enough if the container has that method. But finding out the Length would be with that Method easier anyway.

@arindamsarkar4813 10 лет назад

Thank you for not dumbing it down! :D

@habdochkeineahnung 8 лет назад

i held a architectural speech about this building here in germany! :) nice to see it again this random.

@pij3333 10 лет назад

Should'nt you link to the XKCD explanation? It's ingenious.

@14thlordofdecay15 10 лет назад

Brilliant as always.

@indiansoftwareengineer4899 6 лет назад

please provide subtitles. best content.

@PontusWelin 10 лет назад

Very informative! Thanks!

@inafusabi 10 лет назад

Comprehensive, this explanation. Thank you

@EddieSundvall 10 лет назад

Very good reminder of how important it is to be defensive about your programming, especially in unsafe languages like C!

@yakacm 7 лет назад

We're not going to give you the link for the exploit, no but you did tell us about it and now all we need to do is search for it and we will find it in 0.45 seconds.

@MrNobody_Music 10 лет назад

Another great video, Where can I get a link to the code that computerphile won't give us , for educational purposes of course

@CaptainMarzz 10 лет назад

Very interesting stuff!

@jerrylittlemars 10 лет назад

Thanks for this! I was wondering how the bug worked

@rg10293 7 месяцев назад

The font is so lovely! Is it comic sans?

@sshort21 10 лет назад

Nice explanation. Well done.

@TomAlderman1978 10 лет назад

Great explanation. Thanks

@nO_d3N1AL 10 лет назад

Great explanation!

@KSITREVS 10 лет назад

Brilliant video, I heard this on the news and wanted to find out how it actually worked

@AJSchultz 9 лет назад

I like the scene with the Ducks.

@porkypine1888 10 лет назад

was waiting for this!!!

@MacShapow 10 лет назад

Crazy bug! What gets me the most is how chronically underfunded OpenSSL apparently was. At least people are pitching in now. Hopefully other important open source projects won't have to go through that.

@TheDoucheChill 10 лет назад

That's a cool looking area! Where was this shot?

@peeedurr 8 лет назад

Made me chuckle - 'and no, we're not going to give you a link to this one ...' BUT we will show you its file name and tell you it's written in Python - just in case you don't know what .py means as a file extension. :-)

@raymondlee1024 8 лет назад

Faked filename, but the spelling mistakes help you zero in on it.

@HackingVision 7 лет назад

Thanks Steven Bagley.

@DrussNL 10 лет назад

Tnx, I wanted more detail on this and now I have it.

@LakkThereof 10 лет назад

not giving a link to malicious code? PARTY POOPER!

@fadetounforgiven 10 лет назад

Yes, because searching for the filename on the screen may be too hard, huh?

@OttoFazzl 6 лет назад

Searching for the filename is only for hackers, not regular users LOL

@Bring_MeSunshine 4 года назад

The uncompiled code is available on Symantec's, Security Focus website. has been for years. Along with a whole lot more. It's what security research is all about

@snbeast9545 4 года назад

Even without searching the filename, it wouldn't be too hard to make considering they showed you how to make a heartbeat packet.

@mcvoid1 10 лет назад

The bracket style is making me twitch. Let the holy war commence.

@first.engineersecond.scien7663 8 лет назад

not a programmer but, that block of code bout unchecked payload seems easy to understand for a programmer. the exploit was there for long time?

@EnigmaV8 10 лет назад

"Heartbleed" sounds like a great title for an anime series.

@gollumondrugs 10 лет назад

Good video, but I am very interested in that Atari Falcon behind his monitor!

@danieljohnmorris 10 лет назад

GREAT video

@garethdean6382 10 лет назад

Nothing beats XKCD's explanation.

@tehatin 4 года назад

Super explanation

@OldFilmCameras 10 лет назад

what was that editor you were using earlier on your mac?

@michaelgeorgoulopoulos8678 10 лет назад

Kudos for the Atari ST sitting in the background!

@kbo206 10 лет назад

Great video although I'm still trying to figure out the purpose of the printed code. Just something to give a visual?

@Aefire1 10 лет назад

Yesterday I said "I wish computerphile would make a heartbleed video." I didn't think it would happen though!

@malcolmforde4969 10 лет назад

Tom Scott also did a great one on his own channel.

@slr150 10 лет назад

The problem is that languages like C with pointer arithmetic allows procedures shoot past array boundaries and read into other parts of the heap.

@j.lo.5784 10 лет назад

Isn't it possible to override the sensitive memory after usage by default? Obviously you will never know if someone reads the systems memory later.

@Roxor128 10 лет назад

Nice! Seeing the bug in action makes the news story way more interesting. TV stations, take note of this!

@SlashCrash_Studios 6 лет назад

Give me the 500 Letters of Tom has a cat: Tom has a cat (other unrelated information)

@Stevo8800 10 лет назад

Great Video!

@MrZmogZ 10 лет назад

Thanks so much for some actual journalism. Everyone else in the media are like "ermahgerd enternet ermergherdon".

@spoonikle 10 лет назад

gezz what took you guys so long.

@samuraika 10 лет назад

Great! Still having an Atari Falcon on the Desk :D

@gbrls_yt 5 лет назад

nice colorscheme, which one is that?

@maqusss 10 лет назад

great video

@okaythen001 10 лет назад

if this heartbleed never happened, do you guys change your password every once awhile? like half year or so, most of the people I know they don't change their passowrd, is it necessary to change it once awhile?

@jorl17 10 лет назад

Brady, could you please keep the camera showing code when it's being discussed? or at not make sudden cuts so often. It breaks focus. Other than that, wonderful video!

@Lealmariana13 9 лет назад

no.

@Maraka77i 10 лет назад

Atari Falcon on your desk! Cool :)

@Sekei.. 10 лет назад

That's one beautiful campus

@mumiemonstret 3 года назад

I assume that the payload is there to let the requester validate the integrity of the reply, but what is the purpose of the padding?

@tobiaswiklund10 10 лет назад

An Atari on your desktop! Respect!

@lordicemaniac 10 лет назад

thank you for explanation, i thought it was more sofisticated bug, but now i see, its just stupid one, just like sql injection where you won't check input from user and just use it

@jorl17 10 лет назад

You'd be surprised by how most bugs come from there. Sometimes, it's not the user but the "evil programmer": Sometimes it's functions in kernel-space not being prepared for evil arguments which make them write where they shouldn't, and these turn out to be used to make root exploits, etc.

@Friek555 10 лет назад

Why do you need the padding? Aren't that 16 bytes that slow down the protocol and cause cost (processing and network) uselessly every single heartbeat?