Analysis of heartbleed vulnerability in openssl implementation for embedded systems

Abstract

Attack of “Stuxnet” on Iranian Nuclear Program highlighted the need of Cyber-security and Information Security for Embedded Systems. Information security protocols and standards were originally developed for standard PCs, whereas embedded systems are designed with limited memory and computing resources. Therefore tailored-down versions of information security protocols were deployed for embedded communication security. Embedded systems are now-a-days required to communicate over the internet. Secure socket layer (SSL) or Transport layer security (TLS) provides secure communication channels. Internet-of-Things (IoT) regime, where virtually every device will be connected and communicating over the internet will be using primarily SSL/TLS to secure communications. OpenSSL is an open source implementation of SSL/TLS protocol widely used to secure online communications. OpenSSL is prone to security vulnerabilities with ‘Heartbleed’ being the latest. The prime focus of this research is a detailed Analysis of Heartbleed bug found in OpenSSL also referred as CVE-2014-0160. It was investigated that Heartbleed originated from the introduction of Heartbeat functionality into the Feb-2010 release of OpenSSL. A simple memory length check failure on Heartbeat request can cause server to return up to 64K bytes of memory that might contain sensitive information. The patch to the Heartbleed bug is the implementation of this memory checking mechanism. Patch for OpenSSL was implemented and was found to be safe from Heartbleed attack. OpenSSL has been implemented on STM32 microcontroller to secure embedded devices communication. Heartbleed bug was observed and the system was found to be vulnerable. The vulnerability was tested again after implementing a suggested patch on OpenSSL. The patched version of OpenSSL was found to be secure from Heartbleed bug. The research recommends measures to secure the device after patching for Heartbleed. Recommended future work on this topic is to investigate/analyze patched version of OpenSSL for heartbeat type potential vulnerabilities.