SEED Project

Heartbleed Attack Lab

Overview

The Heartbleed bug (CVE-2014-0160) is a severe implementation flaw in the OpenSSL library, which enables attackers to steal data from the memory of the victim server. The contents of the stolen data depend on what is there in the memory of the server. It could potentially contain private keys, TLS session keys, user names, passwords, credit cards, etc. The vulnerability is in the implementation of the Heartbeat protocol, which is used by SSL/TLS to keep the connection alive.

The objective of this lab is for students to understand how serious this vulnerability is, how the attack works, and how to fix the problem. The affected OpenSSL version range is from 1.0.1 to 1.0.1f. The version in our Ubuntu VM is 1.0.1.

Tasks (English) (Spanish)

VM version: This lab has been tested on our SEEDUbuntu-12.04 VM
Note:: This lab needs to use the SEEDUbuntu-12.04 VM

Time (Suggested)

Supervised (closely-guided lab session): 1 hours
Unsupervised (take-home project): 0.5 week

Files Needed

attack.py

SEED Videos

Udemy: Internet Security: A Hands-on Approach (§ 11)
Identical videos are available on NetEase (for Mainland China)

SEED Books (English) (Chinese)

Internet Security: A Hands-on Approach, 3rd edition (§ 13)

Feedback and Help

	Please give us your feedback on this lab using this feedback form.
	The SEED Labs project is open source. If you are interested in contributing to this project, please check out our Github page: https://github.com/seed-labs/seed-labs.