It turns out that Heartbleed was similar to the initial (and subsequent) iPhone cracks (not in the screen). Code injection via unbounded memory area buffer overrun -- the idea is to lie to your code (often by making it crash) so that it believes the cracker should have access to more (usually rather naked) memory. At this point they can either reap what confidential information is in that area (if any) or they can use the access to this memory to push their own program if they are able to reach locations that deep in your code (which looks a lot like DOS and I dont mean the operating system) because they keep pumping while your routines will accept (the injection). The popular Open Source version of the Secure Sockets Layer didnt check to see whether the supplied buffer length were truthful, so attackers could spoof with a big number and scan the private memory for confidential data.
Posted on: Thu, 24 Apr 2014 11:09:37 +0000
Trending Topics
Recently Viewed Topics
© 2015