Analysis of OpenSSL Heartbleed vulnerability for embedded systems

The attack of `Stuxnet´ computer warm on the Iranian nuclear program highlighted the need of cybersecurity for critical infrastructure and embedded systems. The evolution of embedded systems to Internet-of-Things (IoT), where every device from a light-bulb to a medical implant device will be connected over internet. This connected world scenario requires secure communication channels to ensure information-security. OpenSSL is a defacto standard for secure communication over the internet. The memory bound check failure vulnerability CEV-2014-0160 was discovered in OpenSSL on 07^th Feb 2014. The vulnerability is commonly known as Heartbleed bug that caused vulnerability in more than 16% of the total webservers. The Heartbleed bug can cause a leakage of 64K memory bytes of memory in plaintext that may contain security keys, X.509 certificates and user´s private data. OpenSSL is also used to secure connected embedded devices. The Heartbleed vulnerability has greater impact on embedded systems/IoT because the few KBs or MBs memory of embedded device can be leaked in few seconds during a well-crafted Heartbleed attack. This research demonstrates a Heartbleed attack, and develops a patch for Heartbleed vulnerability. This research proposes an update to RFC-6520 that can be used as Heartbleed patch for embedded systems. The Memory utilization analysis of the developed Heartbleed patch, new proposed Heartbleed patch & unpatched OpenSSL code for STM32 Cortex-M4 microcontroller.