计算机工程与应用 ›› 2016, Vol. 52 ›› Issue (9): 88-95.

• 网络、通信与安全 • 上一篇    下一篇

OpenSSL HeartBleed漏洞分析及检测技术研究

强小辉,陈  波,陈国凯   

  1. 南京师范大学 计算机科学与技术学院,南京 210023
  • 出版日期:2016-05-01 发布日期:2016-05-16

Analysis and detection for HeartBleed vulnerability of OpenSSL

QIANG Xiaohui, CHEN Bo, CHEN Guokai   

  1. School of Computer Science, Nanjing Normal University, Nanjing 210023, China
  • Online:2016-05-01 Published:2016-05-16

摘要: HeartBleed漏洞是一个严重的安全漏洞。分析了OpenSSL中心跳机制的源代码,在代码层次总结了HeartBleed漏洞产生的原因。采用Python语言实现了漏洞检测脚本工具,通过发送心跳信息长度与长度字段不一致的心跳数据包,并根据响应数据包的类型和响应数据的长度,判断目标是否存在HeartBleed漏洞。针对应用OpenSSL的Web网站以及网络服务的服务器进行了检测实验。与已有检测工具的比较实验表明,实现的检测脚本工具检测范围广,检测时间快,正确率高,可以有效完成HeartBleed漏洞的检测工作。

关键词: 安全套接层协议(SSL), OpenSSL, HeartBleed漏洞, 漏洞检测, 软件安全开发

Abstract: HeartBleed is a critical security vulnerability. The source code of HeartBeat in OpenSSL is analyzed and the cause of HeartBleed vulnerability is summarized. Then using Python, the vulnerability detection script tool is accomplished. The tool sends heartbeat packet whose data’s length is inconsistent with the value of length field. According to the values of type field and length field in response packet, the tool determines whether the target has HeartBleed vulnerability. The experiments which use this tool to detect Web websites and Web services applying OpenSSL are achieved. Compared with other detection tools for HeartBleed, the proposed detection tool has a wild detection range, rapid detection time and high accuracy rate. The tool can work effectively for HeartBleed vulnerability detection.

Key words: Secure Sockets Layer(SSL) security protocol, OpenSSL, HeartBleed vulnerability, vulnerability detection, security development of software