Heartbleed, Running the Code - Computerphile

  Рет қаралды 459,664

Computerphile

Computerphile

10 жыл бұрын

We look at and run the code that exploits the Heartbleed bug. Dr. Steven Bagley takes us through the code and shows us how it works.
Relevant RFC Document: bit.ly/heartbleed-rfc
Domino Addition: • Domino Addition - Numb...
KZbin's Secret Algorithm: • KZbin's Secret Algor...
/ computerphile
/ computer_phile
This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham: bit.ly/nottscomputer
Computerphile is a sister project to Brady Haran's Numberphile. See the full list of Brady's video projects at: bit.ly/bradychannels

Пікірлер: 387
@LittleVolii
@LittleVolii 4 жыл бұрын
"lets move into the office" gotta show this b-roll of ducks first
@jochemvanl
@jochemvanl 10 жыл бұрын
Great video. XKCD has a nice comic briefly explaining what the bug is (great for your non-tech friends), but this video goes just a little further in explaining how it works.
@cypher9000
@cypher9000 3 жыл бұрын
From a programmer's perspective it's astounding that the memcpy part of code was peer reviewed and passed all the checks without anyone thinking "But what if someone sends the length that is greater than the actual payload?". Also whoever wrote that file needs to read up about variable naming. bp, lp, p, etc. Jeez. Great video though, thanks for uploading!
@patrickconrad396
@patrickconrad396 Жыл бұрын
I'm not like a pro yet but from my experience some complex or more secure apps do have variables named like this. Idk id guess it's security over readability maybe? And I'll say it's always easier to understand a vulnerability after they happen rather than before. Seems so simple to us but who knows what they were thinking. Or maybe the complexity with the variables actually caused the issue lol
@mutzikatzi1
@mutzikatzi1 Жыл бұрын
@@patrickconrad396 Security by obscurity isn't really security. It's probably because for people who write this kind of codes, it's kinda obvious. p = pointer, bp = buffer pointer, pl = payload length But i also don't like those short namings.
@joseguillermo1790
@joseguillermo1790 Жыл бұрын
@@mutzikatzi1 Totally agree
@raglandasir6885
@raglandasir6885 Жыл бұрын
Yes. We are never supposed to trust the client
@Doc_Fartens
@Doc_Fartens 10 жыл бұрын
Fantastic work as always. Nice clear explanation of a fairly important subject.
@thesecondislander
@thesecondislander 10 жыл бұрын
I'm not a programmer but i can see how coding something which essentially completely trusts the data sent by the client to fit a format without validating it is a bad idea...
@ZweiSpeedruns
@ZweiSpeedruns 10 жыл бұрын
I found that to be the case in most of the web. Because of this, this is why myspace worms break out. With all websites trusting eachother, you can do SQL Injection and XSS.
@atheistpariah
@atheistpariah 10 жыл бұрын
You are, indeed, correct. It is always best practice to check if an email field fits the pattern *@*.* or that a password field is at least 6 characters in length or, if you're accessing a database, that your table variable has greater than 0 rows. Not only does it prevent unforeseen error messages, it prevents an exploit such as this.
@googlepask7551
@googlepask7551 10 жыл бұрын
I as a programmer am deeply baffled how one could make such kind of error - the level of absolute incompetence is just staggering (programmer/s + QA). It is not even hidden under layers of other code! No validation of external data in security critical code!? Amazing.
@Celrador
@Celrador 10 жыл бұрын
You are completely right, but as a programmer I want atleast to explain, how bugs like this can occur: If you are writing several thousand lines of code, it is rather likely to forget the checking processes for the data at one point or the other. And it's even more likely for something like this to happen, if you are coding protocols. (As network protocols usually need to be as performance-efficient as can be and therefore you try to accomplish your goal in general with as few lines of code as possible.)
@compscijedi
@compscijedi 10 жыл бұрын
This is literally the first lesson we learned in computer science classes beyond the basic "Intro to Programming" course; namely, don't trust the end-user. Assume they are either 1) a complete idiot who won't use the software correctly or 2) a malicious user who will exploit your program if possible. NEVER EVER trust data sent from a user without performing sanity checks and validating it
@publicsafetydan
@publicsafetydan 10 жыл бұрын
Very good explanation! I have seen lots of people try to explain this, and this is by far the easiest to understand for someone unfamiliar with SSL or C
@AndersEvenrud
@AndersEvenrud 10 жыл бұрын
I would really love to see more code reviews here. This is great stuff!
@figloalds
@figloalds 9 жыл бұрын
I hope nowadays C programmers have learned to create understandable names to functions and members :|
@jwenting
@jwenting 9 жыл бұрын
***** you mean lpfstrHW doesn't tell you anything? ;)
@murch2
@murch2 8 жыл бұрын
Ip from string ...hardware?
@sk8rkid135
@sk8rkid135 8 жыл бұрын
+Felype Rennan Nope.
@figloalds
@figloalds 8 жыл бұрын
I agree that Java can't contain C code, but C# allows for unsafe native code, yes, usage of native libraries and there is C++/CLI as well. And naming conventions, they could name things well in the C standard libraries, like pascal guys used to do, but, they just chose to not.
@samstromsw
@samstromsw 8 жыл бұрын
+CaptainDuckman Hungarian Notation, the idea is that you include the type of every variable in its name. It makes it more obvious if you are using the wrong type.
@Borednesss
@Borednesss 10 жыл бұрын
I had no idea what this was about until 7 minutes in lol
@ScottLahteine
@ScottLahteine 10 жыл бұрын
An excellent look at Heartbleed and the nature of security bugs in-general.
@agbook2007
@agbook2007 10 жыл бұрын
Well explained, Computerphile! Best video of your channel! Keep them coming!
@valkin07
@valkin07 10 жыл бұрын
One of your best videos yet Brady
@luisgbm
@luisgbm 10 жыл бұрын
Fantastic video, thanks Dr. Bagley and Computerphile!
@goeiecool9999
@goeiecool9999 10 жыл бұрын
Make a video about multi-core CPU's and the benefit of 64-bit architectures. I realized that if 8-bit was enough for instruction sets back in the day. So what do we do with the 56 extra bits? Then I realized maybe it's for sending multiple instructions at once per processor core. So yeah, video's about processor architectures.
@FahadAyaz
@FahadAyaz 10 жыл бұрын
A good explanation of the "heartbeat bug" and why it's so dangerous. I'm surprised that it lasted in the wild so long!
@subbuktek
@subbuktek 10 жыл бұрын
beautiful. Thanks. we need more videos from this gentleman
@kevinnio
@kevinnio 10 жыл бұрын
The best explication about Heart Bleed I've found. Thank you very much!
@haarmegiddo
@haarmegiddo 10 жыл бұрын
Best computerphile video to this date
@h3r3t1c
@h3r3t1c 10 жыл бұрын
Great explanation of the heartbleed bug!
@SanyaIVLitvyak
@SanyaIVLitvyak 10 жыл бұрын
Thanks, very interesting to see an explanation of the code!
@melkon2103
@melkon2103 10 жыл бұрын
Great video always amazing to see the exploits being exploited in action ;)
@PvtHaggard
@PvtHaggard 10 жыл бұрын
Great explanation.. Clears it all up for me.. Thanks
@Artifactorfiction
@Artifactorfiction 10 жыл бұрын
Amazing how this wasn't spotted much earlier
@ghostandgoblins
@ghostandgoblins 10 жыл бұрын
CelmorSmith I believe it was purposely put in there on the behest of government agency. Its seems like a very obvious mistake. This is first year university level logic mistake. Like a situation where the lecturer makes very elementary flaws in the code and students are given 15 min to correct it. As another poster mentioned that not being someone from a programming background even he could see the inherent logic flaw. That is, trusting data sent WITH OUT VERIFYING IT. This is utterly unheard of in any programming practice. So this to have escaped professionals designing security... is highly suspect to say the least. I think you have to include more people then we think in to the "bad guys" group unfortunately. Some of those who run forces are the same who burn crosses ~ RATM
@rlamacraft
@rlamacraft 10 жыл бұрын
It has been known about for years, as with lots of bugs academics and industry experts are aware of many of these but it simply too costly or not seen as worth fixing unless there is a known or presumed risk. You must remember that the majority of the population are extremely lazy and uneducated in the ways that computers work - and really that is how security is maintained.
@jirkav
@jirkav 10 жыл бұрын
Thank you for explaining, very interesting stuff and great video!
@weemist
@weemist 10 жыл бұрын
This is disturbingly easy. How could have gone unnoticed for such a long time?
@ThomasGiles
@ThomasGiles 10 жыл бұрын
Tom did a great job of explaining this, I feel. But I guess some people are looking for more detailed stuff. Crazy how bugs like this are still getting through...
@matbroomfield
@matbroomfield 10 жыл бұрын
Despicable that bugs like this are getting through in the very part of the system designed to be extra secure.
@SamuraiGuevara
@SamuraiGuevara 10 жыл бұрын
that was really informative and excellently explained!
@StrikevonNice
@StrikevonNice 10 жыл бұрын
Thanks for explaining this. I looked at some of the code to test for the heart-bleed bug but not knowing the server side code meant I was unsure why this happened. Nice clear explanation and maybe we could have a video on networks and network protocols. By networks I mean like tor etc. and not just here is a star network and here is a bus network etc.
@shtfgear
@shtfgear 10 жыл бұрын
great explanation of heartbleed.
@dasten123
@dasten123 10 жыл бұрын
great explanation, didn't expect it to be that good :)
@LeviG
@LeviG 10 жыл бұрын
Nice video. Great explanation.
@unfa00
@unfa00 3 жыл бұрын
Learning how Heartbleed makes the server send in random memory contents made me laugh so hard...
@AntivirusRatings
@AntivirusRatings 10 жыл бұрын
Absolutely loved your explaination.
@coopergore2884
@coopergore2884 8 жыл бұрын
Dr. Bagley's shirts are fly as shit.
@user-xj9kx8wq1r
@user-xj9kx8wq1r 4 ай бұрын
Thank you for that explanation. Helped me a lot.
@TheBertjeT
@TheBertjeT 10 жыл бұрын
Wow, I get it now! Great explanation!
@LdaHashZero
@LdaHashZero 8 жыл бұрын
Another reason to always memset any temporary buffers in memory containing passwords/keys after you're finished using them. This includes local function variables allocated on the stack before you return.
@cjxordi
@cjxordi 6 жыл бұрын
How many processor cycles would it take? When you would do that to every variable in your code.
@14thlordofdecay15
@14thlordofdecay15 10 жыл бұрын
Brilliant as always.
@habdochkeineahnung
@habdochkeineahnung 8 жыл бұрын
i held a architectural speech about this building here in germany! :) nice to see it again this random.
@whiterottenrabbit
@whiterottenrabbit 10 жыл бұрын
This reminds me thematically of the RSA bug half a year ago... What I still don't understand with the heartbleed bug, though, is why it is necessary to tell the server how long the message is. Can't it determine the length of the message on the basis of the message itself? I mean, C is used for high-precision scientific computations in applied mathematics for decades, but it can't count how many bytes a message has? ò.Ô
@natnew32
@natnew32 5 жыл бұрын
Strings don't have a length parameter.
@masonhunter2748
@masonhunter2748 3 жыл бұрын
Say the next 6 letters: Badeth haha Would be the same as Say this: Badeth
@karlosdaniel6537
@karlosdaniel6537 2 жыл бұрын
@@natnew32 Yes, and string isn't even a data type in C, they're just an array of characters.
@williamdrum9899
@williamdrum9899 2 жыл бұрын
Short answer: No. Long answer: The computer has no way of telling where an arbitrary sequence ends, unless it uses some sort of terminator value or a predefined size placed in front of the sequence.
@cantinasongband
@cantinasongband 2 жыл бұрын
clearly there is a way to tell the actual size of the payload since it was needed to apply the patch. the entire issue was caused because the code didn't check if the actual length of the payload matches the integer value provided by the client.
@nija323
@nija323 10 жыл бұрын
great explanation of the the heartbleed bug
@sean3533
@sean3533 10 жыл бұрын
Where was the opening filmed? Its beautiful
@Computerphile
@Computerphile 10 жыл бұрын
That's the University of Nottingham Jubilee Campus, home to their Computer Science building :) >Sean
@sean3533
@sean3533 10 жыл бұрын
***** Thanks Brady, I'll have to check out that campus!
@peeedurr
@peeedurr 8 жыл бұрын
+Sean Haggard Looks a lot like York's new place. Very similar to Nott's obviously.
@DFX2KX
@DFX2KX 10 жыл бұрын
Interesting. Nice to see why there was so much noise about this online. Part of me wants to face-palm at this, but it's really quite a simple mistake to make.
@LakkThereof
@LakkThereof 10 жыл бұрын
not giving a link to malicious code? PARTY POOPER!
@fadetounforgiven
@fadetounforgiven 10 жыл бұрын
Yes, because searching for the filename on the screen may be too hard, huh?
@OttoFazzl
@OttoFazzl 6 жыл бұрын
Searching for the filename is only for hackers, not regular users LOL
@Bring_MeSunshine
@Bring_MeSunshine 4 жыл бұрын
The uncompiled code is available on Symantec's, Security Focus website. has been for years. Along with a whole lot more. It's what security research is all about
@snbeast9545
@snbeast9545 4 жыл бұрын
Even without searching the filename, it wouldn't be too hard to make considering they showed you how to make a heartbeat packet.
@arindamsarkar4813
@arindamsarkar4813 10 жыл бұрын
Thank you for not dumbing it down! :D
@OmegaCraftable
@OmegaCraftable 10 жыл бұрын
Thanks for the info :)
@KilloZapit
@KilloZapit 10 жыл бұрын
I never even heard of this bug before. Funny thing is, I saw he bug before he described it. See, this is why I would be really reluctant to make code that messes around with memory like that in security. It's amazingly easy to mess it up when you don't have type protection. But I guess it's pretty easy to mess up even if you do sometimes.
@frostfang83
@frostfang83 10 жыл бұрын
Very nice look at how it works
@henrikwannheden7114
@henrikwannheden7114 10 жыл бұрын
Ooooh! Very nice Ataris in the background! Cool! :D
@EddieSundvall
@EddieSundvall 10 жыл бұрын
Very good reminder of how important it is to be defensive about your programming, especially in unsafe languages like C!
@CaptainMarzz
@CaptainMarzz 10 жыл бұрын
Very interesting stuff!
@inafusabi
@inafusabi 10 жыл бұрын
Comprehensive, this explanation. Thank you
@PontusWelin
@PontusWelin 10 жыл бұрын
Very informative! Thanks!
@jerrylittlemars
@jerrylittlemars 10 жыл бұрын
Thanks for this! I was wondering how the bug worked
@nO_d3N1AL
@nO_d3N1AL 10 жыл бұрын
Great explanation!
@yakacm
@yakacm 7 жыл бұрын
We're not going to give you the link for the exploit, no but you did tell us about it and now all we need to do is search for it and we will find it in 0.45 seconds.
@pij3333
@pij3333 10 жыл бұрын
Should'nt you link to the XKCD explanation? It's ingenious.
@indiansoftwareengineer4899
@indiansoftwareengineer4899 6 жыл бұрын
please provide subtitles. best content.
@TomAlderman1978
@TomAlderman1978 10 жыл бұрын
Great explanation. Thanks
@TheDoucheChill
@TheDoucheChill 10 жыл бұрын
That's a cool looking area! Where was this shot?
@sshort21
@sshort21 10 жыл бұрын
Nice explanation. Well done.
@DrenImeraj
@DrenImeraj 10 жыл бұрын
How did this pass testing? Giving a different payload size than the real one is something very basic, it's so weird it sounds intentional. AWESOME video by the way, thank you!
@AV1461
@AV1461 10 жыл бұрын
Really good. Thank you. I'd love to see the fix - the checks they added 7:15. Or at least what type of things can be done.
@CelmorSmith
@CelmorSmith 10 жыл бұрын
checking if the payload is the length specified by the user would suffice. Sth. like "if(payloadLength == payload.Length)" (but i'm not a C programmer) would be enough if the container has that method. But finding out the Length would be with that Method easier anyway.
@HackingVision
@HackingVision 7 жыл бұрын
Thanks Steven Bagley.
@DrussNL
@DrussNL 10 жыл бұрын
Tnx, I wanted more detail on this and now I have it.
@MrNobody_Music
@MrNobody_Music 10 жыл бұрын
Another great video, Where can I get a link to the code that computerphile won't give us , for educational purposes of course
@rg10293
@rg10293 7 ай бұрын
The font is so lovely! Is it comic sans?
@KSITREVS
@KSITREVS 10 жыл бұрын
Brilliant video, I heard this on the news and wanted to find out how it actually worked
@AJSchultz
@AJSchultz 9 жыл бұрын
I like the scene with the Ducks.
@EnigmaV8
@EnigmaV8 10 жыл бұрын
"Heartbleed" sounds like a great title for an anime series.
@mcvoid1
@mcvoid1 10 жыл бұрын
The bracket style is making me twitch. Let the holy war commence.
@MrZmogZ
@MrZmogZ 10 жыл бұрын
Thanks so much for some actual journalism. Everyone else in the media are like "ermahgerd enternet ermergherdon".
@MacShapow
@MacShapow 10 жыл бұрын
Crazy bug! What gets me the most is how chronically underfunded OpenSSL apparently was. At least people are pitching in now. Hopefully other important open source projects won't have to go through that.
@peeedurr
@peeedurr 8 жыл бұрын
Made me chuckle - 'and no, we're not going to give you a link to this one ...' BUT we will show you its file name and tell you it's written in Python - just in case you don't know what .py means as a file extension. :-)
@raymondlee1024
@raymondlee1024 8 жыл бұрын
Faked filename, but the spelling mistakes help you zero in on it.
@SlashCrash_Studios
@SlashCrash_Studios 6 жыл бұрын
Give me the 500 Letters of Tom has a cat: Tom has a cat (other unrelated information)
@danieljohnmorris
@danieljohnmorris 10 жыл бұрын
GREAT video
@porkypine1888
@porkypine1888 10 жыл бұрын
was waiting for this!!!
@spoonikle
@spoonikle 10 жыл бұрын
gezz what took you guys so long.
@Stevo8800
@Stevo8800 10 жыл бұрын
Great Video!
@garethdean6382
@garethdean6382 10 жыл бұрын
Nothing beats XKCD's explanation.
@Aefire1
@Aefire1 10 жыл бұрын
Yesterday I said "I wish computerphile would make a heartbleed video." I didn't think it would happen though!
@malcolmforde4969
@malcolmforde4969 10 жыл бұрын
Tom Scott also did a great one on his own channel.
@tehatin
@tehatin 4 жыл бұрын
Super explanation
@gollumondrugs
@gollumondrugs 10 жыл бұрын
Good video, but I am very interested in that Atari Falcon behind his monitor!
@michaelgeorgoulopoulos8678
@michaelgeorgoulopoulos8678 10 жыл бұрын
Kudos for the Atari ST sitting in the background!
@maqusss
@maqusss 10 жыл бұрын
great video
@AbdelhadiE
@AbdelhadiE 10 жыл бұрын
how did I end up watching this ..... I have no Idea what he was talkin about lol
@idm0nkey2pt0
@idm0nkey2pt0 10 жыл бұрын
It helps to pay attention.
@OldFilmCameras
@OldFilmCameras 10 жыл бұрын
what was that editor you were using earlier on your mac?
@Sekei..
@Sekei.. 10 жыл бұрын
That's one beautiful campus
@joeltoms
@joeltoms 10 жыл бұрын
thank you .. this was interesting
@lylefaraday4691
@lylefaraday4691 10 жыл бұрын
This is more serious than I thought
@Roxor128
@Roxor128 10 жыл бұрын
Nice! Seeing the bug in action makes the news story way more interesting. TV stations, take note of this!
@slr150
@slr150 10 жыл бұрын
The problem is that languages like C with pointer arithmetic allows procedures shoot past array boundaries and read into other parts of the heap.
@Anamnesia
@Anamnesia 10 жыл бұрын
XKCD 1354: explains it REALLY simply...
@obamaslilbro
@obamaslilbro 10 жыл бұрын
are those floppies good god i haven't seen one in years
@first.engineersecond.scien7663
@first.engineersecond.scien7663 8 жыл бұрын
not a programmer but, that block of code bout unchecked payload seems easy to understand for a programmer. the exploit was there for long time?
@ericnyamu3599
@ericnyamu3599 10 жыл бұрын
OMG. thats a goldmine
@samuraika
@samuraika 10 жыл бұрын
Great! Still having an Atari Falcon on the Desk :D
@krissyofarrell9491
@krissyofarrell9491 10 жыл бұрын
thankyou - great video :)
@erikito6092
@erikito6092 10 жыл бұрын
My father was telling me that the company he worked for knew about this bug for several years but they only fixed it now when it was discovered by hackers.
@TheThunderSpirit
@TheThunderSpirit 7 жыл бұрын
accessing other rams over Internet is awesome
@tobiaswiklund10
@tobiaswiklund10 10 жыл бұрын
An Atari on your desktop! Respect!
Log4J & JNDI Exploit: Why So Bad? - Computerphile
26:31
Computerphile
Рет қаралды 497 М.
Heartbleed - What Happened? A Bug That Nearly Broke the Internet
9:49
Climbing to 18M Subscribers 🎉
00:32
Matt Larose
Рет қаралды 28 МЛН
Неприятная Встреча На Мосту - Полярная звезда #shorts
00:59
Полярная звезда - Kuzey Yıldızı
Рет қаралды 2 МЛН
How to bring sweets anywhere 😋🍰🍫
00:32
TooTool
Рет қаралды 50 МЛН
Best RJ45 Crimper Tools | Who Is THE Winner #1?
8:49
Mr.whosetech
Рет қаралды 12
Spectre & Meltdown - Computerphile
13:45
Computerphile
Рет қаралды 344 М.
Running a Buffer Overflow Attack - Computerphile
17:30
Computerphile
Рет қаралды 2 МЛН
Cracking Enigma in 2021 - Computerphile
21:20
Computerphile
Рет қаралды 2,4 МЛН
The Most Difficult Program to Compute? - Computerphile
14:55
Computerphile
Рет қаралды 1,4 МЛН
357686312646216567629137 - Numberphile
9:33
Numberphile
Рет қаралды 585 М.
Man in the Middle Attacks & Superfish - Computerphile
13:29
Computerphile
Рет қаралды 1 МЛН
Cookie Stealing - Computerphile
16:12
Computerphile
Рет қаралды 1,1 МЛН
Elliptic Curve Back Door - Computerphile
12:24
Computerphile
Рет қаралды 507 М.
Key Exchange Problems - Computerphile
9:18
Computerphile
Рет қаралды 352 М.
Climbing to 18M Subscribers 🎉
00:32
Matt Larose
Рет қаралды 28 МЛН