The Art in Code

Snippets of famous, interesting, historically relevant or thought-provoking... code.

---

Website maintained by Filip Stanis Based on theme by mattgraham

007 - Heartbleed bug

Snippet source

“Heartbleed” is the name given to a bug in the popular OpenSSL cryptographic software library that created a serious vulnerability which allowed attackers to read memory from otherwise secure servers.

The bug was introduced into the software in 2012 and the vulnerability was publicly disclosed in April 2014. According to heartbleed.com, testing the vulnerability on their own services allowed stealing of certificate keys, user names and passwords, instant messages, emails and business critical documents and communication.

“Heartbleed” explanation

The bug allowed the attacker to perform a buffer over-read, a situation where more data can be read than should be allowed.

An visual explanation of this is provided in xkcd #1354:

Snippet explanation

The three lines of code above are the core of the bug: memcpy is a function used to copy a given number of bytes from one memory location to another.

The number of bytes given is specified in the variable payload, which is in this case provided by the user. This allows the attacker to request any number of bytes from the server, which is then copied and returned in the response.

More information

For more information, see:

• Wikipedia page for Heartbleed
• heartbleed.com
• Diagnosis of the OpenSSL Heartbleed Bug by Sean Cassidy
• Heartbleed Bug Explained by Scott Robinson