The Heartbleed vulnerability in OpenSSL is a serious security vulnerability formally identified as CVE-2014-0160 [Heartbleed.com]. OpenSSL is a widely-used toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS). The cartoon Heartbleed Explanation is a great explanation that shows how the vulnerability can be exploited [XKCD].
This paper discusses specific tools and techniques that could counter Heartbleed and vulnerabilities like it. I will first briefly examine why many tools and techniques did not find it, since it’s important to understand why many previous techniques didn’t work. I will also briefly cover preconditions, impact reduction, applying these approaches, and conclusions. This paper does not describe how to write secure software in general; for that, see my book Secure Programming for Linux and Unix HOWTO[Wheeler2004] or other such works. This paper presumes you already understand how to develop software.
My goal is to help prevent similar vulnerabilities by helping projects improve how they develop secure software. As the fictional character Mazer Rackham says in Orson Scott Card’s Ender’s Game, “There is no teacher but the enemy... Only the enemy shows you where you are weak.” Let’s learn from this vulnerability how we can avoid similar vulnerabilities in the future.
more here.........http://www.dwheeler.com/essays/heartbleed.html
This paper discusses specific tools and techniques that could counter Heartbleed and vulnerabilities like it. I will first briefly examine why many tools and techniques did not find it, since it’s important to understand why many previous techniques didn’t work. I will also briefly cover preconditions, impact reduction, applying these approaches, and conclusions. This paper does not describe how to write secure software in general; for that, see my book Secure Programming for Linux and Unix HOWTO[Wheeler2004] or other such works. This paper presumes you already understand how to develop software.
My goal is to help prevent similar vulnerabilities by helping projects improve how they develop secure software. As the fictional character Mazer Rackham says in Orson Scott Card’s Ender’s Game, “There is no teacher but the enemy... Only the enemy shows you where you are weak.” Let’s learn from this vulnerability how we can avoid similar vulnerabilities in the future.
more here.........http://www.dwheeler.com/essays/heartbleed.html