Robin Seggelmann Dissertation Abstract

The developer who introduced the "Heartbleed" vulnerability to the open-source code used by thousands of websites has told the Guardian it was an "oversight" – but that its discovery validates the methods used.

Robin Seggelmann, a programmer based in Germany, submitted the code in an update submitted at 11:59pm on New Year's Eve, 2011. It was supposed to enable a function called "Heartbeat" in OpenSSL, the software package used by nearly half of all web servers to enable secure connections.

His update did enable Heartbeat, but an "oversight" led to an error with major ramifications. But it accidentally created the "Heartbleed" vulnerability, which has been described as a "catastrophic" flaw which laid the contents of thousands of web servers open to hackers.

It has also been discovered in Cisco and Juniper routing gear, which could mean that hackers could capture sensitive data such as passwords passing over the internet.

Seggelmann worked on the OpenSSL project during his PhD studies, from 2008 to 2012, but isn't involved with the project any more.

He told the Guardian that the mistake has nothing to do with its festive datestamp. "The code… was the work of several weeks. It’s only a coincidence that it was submitted during the holiday season.

"I am responsible for the error," he continued, "because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version."

How Heartbleed works

The flaw which actually leaks data in the Heartbleed bug is almost painfully simple.

It relates to a function called Heartbeat which exists in "Transport Layer Security" (TLS), the system used to protect confidential data when surfing the web. Heartbeat is used to keep connections open, even when no data is being shared.

When it works properly, a user's computer sends a Heartbeat packet to the server. The packet simply contains a chunk of random data, and a note saying how much data it's sent; the server receives the packet, and then sends back exactly the same data, confirming that it's listening.

The problem which can be exploited in a Heartbleed attack involves the attacker's computer lying about how much data it has sent: it sends over a single byte of information, but tells the server that it has sent 64KB instead. The server makes a note, and knows that it has to send 64KB back, but doesn't have a full 64KB of data.

What pushes the error into a full-blown catastrophe is that the server then fills the rest of the packet with any other information which its memory at the time.

A computer's memory is where it stores information about the tasks it's working on, and so the data which it pulls into the Heartbleed packet is related to the other queries it's responding to. At Yahoo, that included usernames and passwords of users logging in at the same time; at DuckDuckGo, it was the full text of search queries. The researchers who discovered the bug also say it can include SSL keys, which would let an attacker decrypt conversations captured months before.

Open source

OpenSSL is an open-source project. The software is developed by a small community of engineers, giving their time for little or no reward, and releasing it free of charge to anyone who needs it.

For security software, that model is typically seen as advantageous, because the more people examine a line of code, the more chance there should be of some weakness coming to light. Additionally, it prevents "security by obscurity", whereby the bulk of the protection comes from people not knowing how the security software works – which can result in the whole edifice tumbling down if that confidential information is released or discovered externally.

But the Heartbleed bug apparently managed to go unnoticed for two years. Not only was Seggelmann's error not picked up by the OpenSSL volunteer who incorporated his edits into the codebase, it wasn't spotted by anyone else until this month. Eventually, two separate teams of researchers, from Google and Codenomicon, found it simultaneously.

But Seggelmann defended the process. "I don’t see it as a failure of open source," he said. "On the contrary, the publicly accessible code made it possible that the error has been discovered and published. I can only assume that it took so long because it’s in a new feature which is not widely used and not a conceptual, but a simple programming error."

Instead, Seggelmann blamed the lack of resources that OpenSSL has to work with. "OpenSSL is definitely under-resourced for its wide distribution. It has millions of users but only very few actually contribute to the project."

•Heartbleed bug: what do you actually need to do to stay secure?

robin seggelmann.

thesis

papers

  • SSH Over SCTP -Optimizing a Multi-Channel Protocol by Adapting It to SCTP

    R. Seggelmann, M. Tüxen, E.P. Rathgeb
    Advances in Electronics and Telecommunications
    ISSN: 2081-8580, Vol. 3, No. 5
    December 2013
  • SSH Over SCTP -Optimizing a Multi-Channel Protocol by Adapting It to SCTP

    R. Seggelmann, M. Tüxen, E.P. Rathgeb
    Proceedings of the 8th International Symposium on Communication Systems,Networks and Digital Signal Processing (CSNDSP 2012)
    ISBN: 978-1-4577-1471-9
    Poznan, Poland - July 2012
  • DTLS Mobility

    R. Seggelmann, M. Tüxen, E.P. Rathgeb
    Proceedings of the 13th International Conference on DistributedComputing and Networking (ICDCN 2012)
    ISBN: 978-3-642-25958-6
    Hong Kong, China - January 2012
  • Strategies to Secure End-to-End Communication –And Their Application to SCTP-Based Communication

    R. Seggelmann, M. Tüxen, E.P. Rathgeb
    PIK - Praxis der Informationsverarbeitung und Kommunikation
    ISSN: 1865-8342, Vol. 34, No. 4
    December 2011
  • Datagram Transport Layer Security

    R. Seggelmann
    Proceedings of the 17th LinuxTag 2011
    Berlin, Germany - May 2011
  • Stream Control Transmission Protocol:Past, Current, and Future Standardization Activities

    T. Dreibholz, I. Rüngeler, R. Seggelmann,M. Tüxen, E.P. Rathgeb, R. Stewart
    IEEE Communications Magazine
    ISSN: 0163-6804, Vol. 49, No. 4
    April 2011
  • Transmission Scheduling Optimizationsfor Concurrent Multipath Transfer

    T. Dreibholz, R. Seggelmann, M. Tüxen, E.P. Rathgeb
    Proceedings of the 8th International Workshop on Protocols forFuture, Large-Scale & Diverse Network Transports (PFLDNeT 2010)
    ISSN: 2074-5168, Vol. 8
    Lancaster (PA), USA - November 2010
  • Stream Scheduling Considerations for SCTP

    R. Seggelmann, M. Tüxen, E.P. Rathgeb
    Proceedings of the 18th International Conference on Software,Telecommunications and Computer Networks (SoftCOM 2010)
    ISBN: 978-953-290-004-0
    Split, Croatia - September 2010
  • Design and Implementation of SCTP-aware DTLS

    R. Seggelmann, M. Tüxen, E.P. Rathgeb
    Proceedings of the International Conference onTelecommunication and Multimedia (TEMU 2010)
    ISBN: 978-960-8878-59-4
    Chania (Crete), Greece - July 2010
  • Parallelizing OMNeT++ Simulations using Xgrid

    R. Seggelmann, I. Rüngeler, M. Tüxen, E.P. Rathgeb
    Proceedings of the 2nd International Conference onSimulation Tools and Techniques (Simutools 2009)
    ISBN: 978-963-9799-45-5
    Rome, Italy - March 2009

standardization

  • Stream Schedulers and User Message Interleavingfor the Stream Control Transmission Protocol

    R. Stewart, M. Tüxen, S. Loreto, R. Seggelmann
    RFC 8260
    October 2017
  • Additional Policies for the Partially ReliableStream Control Transmission Protocol Extension

    M. Tüxen, R. Seggelmann, R. Stewart, S. Loreto
    RFC 7496
    April 2015
  • Transport Layer Security (TLS) andDatagram Transport Layer Security (DTLS) Heartbeat Extension

    R. Seggelmann, M. Tüxen, M. Williams
    RFC 6520
    February 2012
  • Datagram Transport Layer Security (DTLS)for Stream Control Transmission Protocol (SCTP)

    M. Tüxen, R. Seggelmann, E. Rescorla
    RFC 6083
    December 2010

talks

  • Mitmachen bei Open Source!

    Chaos Computer Club Stuttgart
    October 9th 2014 in Stuttgart, Germany
  • Secure PLM Findability

    Global Product Data Interoperability Summit (GPDIS) 2014
    September 10th 2014 in Phoenix (AZ), USA
  • Securing Real-Time Communication between Web Browsers

    6. Essener Workshop zur Netzsicherheit (EWNS 2012)
    March 30th 2012 in Essen, Germany
  • Datagram Transport Layer Security

    LinuxTag 2011
    May 13th 2011 in Berlin, Germany
  • Secure Shell over SCTP

    5. Essener Workshop zur Netzsicherheit (EWNS 2011)
    April 14th 2011 in Essen, Germany
  • DTLS Mobility

    4. Essener Workshop zur Netzsicherheit (EWNS 2010)
    April 16th 2010 in Essen, Germany
  • A Structural Analysis of Cell Phone Attitudes and Usage Patterns

    International Sunbelt Social Network Conference XXVI
    April 28th 2006 in Vancouver, Canada

One thought on “Robin Seggelmann Dissertation Abstract

Leave a Reply

Your email address will not be published. Required fields are marked *