8. First things first
• Smallest Allocation
• Some overhead for metadata
• Metadata store alongside user
data
• Different structure when
freed(Use data section to store
some metadata)
Chunk
8
9. • A reserved big chunk at top of
the heap
• Used to create new chunks when
request arrives
• Size is 0x21000
TopChunk
9
11. The lists to rule them all
• Single list?
• Performance issues
• Organize them on different lists
• 127 list+Fast bins+Tcache bins
Bins
11
12. • 62 list
• Chunk size below 1KB
• Store same chunk fixed chunk
size each
• Double linked lists
Small Bins
12
13. • Over 1KB
• 63 Lists
• Double linked lists
• Size is in a range
• Need to manually sort
• Slower than small bins
Large Bins
13
14. • 1 List for optimization
• Merge freed chunk with
neighbours or top chunk
• Any chunk size
• Also ,it can split chunks
Unsorted bin
14
15. • 10 lists, single size
• Single link list
• Keep chunks alive, not truly free
• Chunks does not merge with
neighbours
• Need flush memory after a while ,
because , memory become
fragmented
Fast Bins
15
16. • Per-Thread
• 64 lists
• 7 chunks same size each
• Added since Glibc-2.26
• Avoid locks and race conditions
• First place to search
T-cache
16
17. A place to keep them all
• An improvement for heap access
• Different threads have different Arenas
• So each thread has a separate heap
area to allocate chunks
• So thread can work simultaneously
without need to lock
• 2*Number of CPU core in 32-bits
• 8*Number of CPU core in 64-bits
Arena
17
19. Allocation
In a simple algorithm
• Allocation from previously freed chunks which organised in the bins
19
Bins
20. Allocation
In a simple algorithm
• Allocation from previously freed chunks which organised in the bins
• Allocation from top of the heap (Top chunk)
20
Top Chunk
Bins
21. Allocation
In a simple algorithm
• Allocation from previously freed chunks which organised in the bins
• Allocation from top of the heap (Top chunk)
• Asking for more memory (MMAP)
21
Top Chunk
Bins mmap()
23. malloc()
Where?
1. T-cache bins is first place
2. Fetch corresponding arena and lock it
3. Check the fast bins and fill t-cache at the same time
4. Check the small bins and fill t-cache at the same time
5. Consolidate fast bins (Flush memory , Merge with neighbours , move their consolidated chunks to the unsorted bin)
6. Check unsorted bin , Stop if a suitable chunk found , otherwise ,Move chunk to small/large bins
7. Check large bins
8. Top chunk
9. Call mmap()
23
24. mmap()
I need much more
• Large amount of memory
• Chunks metadata has a flag for it
• Start from 128KB, then, grows to 512KB
24
25. What happens if the requested size is
larger than the Top chunk but smaller than
the mmap () threshold?
25
26. The heap manager move the current top to
a bin, then, a new top chunk is allocated
26
30. It is already free
• Allocate 3 chunk of data
• Release one of them twice
• Heap can detect memory
corruption if we free same chunk
twice in a row
• We have to bypass security
check by freeing a second chunk
in the middle
Double Free
30
31. Return my location
• Use a pointer to free chunk to
manipulate heap structure
• Create a fake chunk wherever we want
like stack
• Heap has security check on chunk size
• Modify the forward pointer of free chunk
(UAF)
• Remove free chunk from top of list
• Next allocation return our forged chunk
Forged Chunk
31
32. Write somewhere
• Abuse ‘’bk’’ pointer
• We don’t have control over data
• We can control location
Unsorted bin attack
32
33. • Write data on a controlled
location
Large bin attack
33
35. The Malloc Maleficarum
‘It is for this reason, a small suggestion of
impossibility, that I present the Malloc
Maleficarum’
35
36. The original ones
• The house of mind
• The house of prime
• The house of spirit
• The house of force
• The house of lore
• The house of underground
The houses
36
38. • A simple application to execute
some simple command
• The goal is login to system
• ‘’Login’’ command check the
value inside ‘’auth->auth’’
• As we can see , the value of
‘’auth->auth’’ never assign inside
the application
38
39. ‘’ I shall either find a way or make one ‘’
39
41. • The ‘’auth’’ object has been freed
but , it does not zero out
• The pointer to the ‘’auth’’ memory
space still available inside
application
• It is a Use-after-free attack
UAF
41
43. A heap base function
• The strdup() function returns a
pointer to a new string which is a
duplicate of the string s. Memory
for the new string is obtained with
malloc(), and can be freed with
free().
• This function can used freed
chunk inside the heap/bins
strdup()
43
45. • Send ‘’auth’’ command , this command allocate a chunk inside the heap
• We can see the address of allocated chunk
45
Allocated Free chunks
auth
46. • Send ‘’reset’’ command , this command freeing the ‘’auth’’
• However the pointer is available
46
Allocated Free chunks
auth
47. • Send ‘’service’’ command , This command use heap , as a result , the first
freed chunk return by heap manager , in this case ‘’auth’’
• As we can see , both ‘’auth’’ and ‘’service’’ object has the same address
47
Allocated Free chunks
auth & service
52. • We have discussed heap implementation and various types of attacks on heap
memory allocation
• The heap is a very complex memory that must used carefully
• Various patches and optimisations have been implement through years ,
however, attack is still possible
52