SlideShare a Scribd company logo

A survey on Heap Exploitation

Download as PPTX, PDF
Alireza Karimi
Alireza Karimi

A survey on Heap Exploitation base on Glibc

Science
1 of 53
A survey on Heap Exploitation Base on the glibc heap implementation 1
What we talk about • Introduction • Glibc Heap • Exploitation • RealWorld • Conclusion Table 2
Introduction 3
Memory Heap or Stack that is the question • Memory Space type • Stack • Heap • Heap used to dynamic memory allocation • Heap or stack? 4
Glibc 5
Glibc What is that? • GNU C library • Memory Allocation • malloc() , free() 6
Some definitions 7
First things first • Smallest Allocation • Some overhead for metadata • Metadata store alongside user data • Different structure when freed(Use data section to store some metadata) Chunk 8
• A reserved big chunk at top of the heap • Used to create new chunks when request arrives • Size is 0x21000 TopChunk 9
How manage free chunks? 10
The lists to rule them all • Single list? • Performance issues • Organize them on different lists • 127 list+Fast bins+Tcache bins Bins 11
• 62 list • Chunk size below 1KB • Store same chunk fixed chunk size each • Double linked lists Small Bins 12
• Over 1KB • 63 Lists • Double linked lists • Size is in a range • Need to manually sort • Slower than small bins Large Bins 13
• 1 List for optimization • Merge freed chunk with neighbours or top chunk • Any chunk size • Also ,it can split chunks Unsorted bin 14
• 10 lists, single size • Single link list • Keep chunks alive, not truly free • Chunks does not merge with neighbours • Need flush memory after a while , because , memory become fragmented Fast Bins 15
• Per-Thread • 64 lists • 7 chunks same size each • Added since Glibc-2.26 • Avoid locks and race conditions • First place to search T-cache 16
A place to keep them all • An improvement for heap access • Different threads have different Arenas • So each thread has a separate heap area to allocate chunks • So thread can work simultaneously without need to lock • 2*Number of CPU core in 32-bits • 8*Number of CPU core in 64-bits Arena 17
Put it all together How the heap works? 18
Allocation In a simple algorithm • Allocation from previously freed chunks which organised in the bins 19 Bins
Allocation In a simple algorithm • Allocation from previously freed chunks which organised in the bins • Allocation from top of the heap (Top chunk) 20 Top Chunk Bins
Allocation In a simple algorithm • Allocation from previously freed chunks which organised in the bins • Allocation from top of the heap (Top chunk) • Asking for more memory (MMAP) 21 Top Chunk Bins mmap()
Functions 22
malloc() Where? 1. T-cache bins is first place 2. Fetch corresponding arena and lock it 3. Check the fast bins and fill t-cache at the same time 4. Check the small bins and fill t-cache at the same time 5. Consolidate fast bins (Flush memory , Merge with neighbours , move their consolidated chunks to the unsorted bin) 6. Check unsorted bin , Stop if a suitable chunk found , otherwise ,Move chunk to small/large bins 7. Check large bins 8. Top chunk 9. Call mmap() 23
mmap() I need much more • Large amount of memory • Chunks metadata has a flag for it • Start from 128KB, then, grows to 512KB 24
What happens if the requested size is larger than the Top chunk but smaller than the mmap () threshold? 25
The heap manager move the current top to a bin, then, a new top chunk is allocated 26
calloc() Clean it for me • Zero-out • NO T-cache! 27
free() Do not need anymore • Check mmap flag • Check size (MINSIZE) • Check 16-B alignment • Put it back to corresponding bin 28
Exploitations 29
It is already free • Allocate 3 chunk of data • Release one of them twice • Heap can detect memory corruption if we free same chunk twice in a row • We have to bypass security check by freeing a second chunk in the middle Double Free 30
Return my location • Use a pointer to free chunk to manipulate heap structure • Create a fake chunk wherever we want like stack • Heap has security check on chunk size • Modify the forward pointer of free chunk (UAF) • Remove free chunk from top of list • Next allocation return our forged chunk Forged Chunk 31
Write somewhere • Abuse ‘’bk’’ pointer • We don’t have control over data • We can control location Unsorted bin attack 32
• Write data on a controlled location Large bin attack 33
The houses 34
The Malloc Maleficarum ‘It is for this reason, a small suggestion of impossibility, that I present the Malloc Maleficarum’ 35
The original ones • The house of mind • The house of prime • The house of spirit • The house of force • The house of lore • The house of underground The houses 36
More Real 37
• A simple application to execute some simple command • The goal is login to system • ‘’Login’’ command check the value inside ‘’auth->auth’’ • As we can see , the value of ‘’auth->auth’’ never assign inside the application 38
‘’ I shall either find a way or make one ‘’ 39
The first clue 40
• The ‘’auth’’ object has been freed but , it does not zero out • The pointer to the ‘’auth’’ memory space still available inside application • It is a Use-after-free attack UAF 41
The second clue 42
A heap base function • The strdup() function returns a pointer to a new string which is a duplicate of the string s. Memory for the new string is obtained with malloc(), and can be freed with free(). • This function can used freed chunk inside the heap/bins strdup() 43
Put it all together 44
• Send ‘’auth’’ command , this command allocate a chunk inside the heap • We can see the address of allocated chunk 45 Allocated Free chunks auth
• Send ‘’reset’’ command , this command freeing the ‘’auth’’ • However the pointer is available 46 Allocated Free chunks auth
• Send ‘’service’’ command , This command use heap , as a result , the first freed chunk return by heap manager , in this case ‘’auth’’ • As we can see , both ‘’auth’’ and ‘’service’’ object has the same address 47 Allocated Free chunks auth & service
48 Allocated Free chunks auth & service
Real World 49
CVE-2021-3156 • Super-User-Do • Get root privilege without authorisation • Heap based overflow Sudo 50
Conclusion 51
• We have discussed heap implementation and various types of attacks on heap memory allocation • The heap is a very complex memory that must used carefully • Various patches and optimisations have been implement through years , however, attack is still possible 52
Thank you for your attention 53

Recommended

RecSplit Minimal Perfect Hashing
RecSplit Minimal Perfect HashingRecSplit Minimal Perfect Hashing
RecSplit Minimal Perfect HashingThomas Mueller
 
証明駆動開発のたのしみ@名古屋reject会議
証明駆動開発のたのしみ@名古屋reject会議証明駆動開発のたのしみ@名古屋reject会議
証明駆動開発のたのしみ@名古屋reject会議Hiroki Mizuno
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Network & Filesystem: Doing less cross rings memory copy
Network & Filesystem: Doing less cross rings memory copyNetwork & Filesystem: Doing less cross rings memory copy
Network & Filesystem: Doing less cross rings memory copyScaleway
 
Slide smallfiles
Slide smallfilesSlide smallfiles
Slide smallfilesrledisez
 
Scaling Up Logging and Metrics
Scaling Up Logging and MetricsScaling Up Logging and Metrics
Scaling Up Logging and MetricsRicardo Lourenço
 
Distributed System by Pratik Tambekar
Distributed System by Pratik TambekarDistributed System by Pratik Tambekar
Distributed System by Pratik TambekarPratik Tambekar
 
How choosing the Raft consensus algorithm saved us 3 months of development time
How choosing the Raft consensus algorithm saved us 3 months of development timeHow choosing the Raft consensus algorithm saved us 3 months of development time
How choosing the Raft consensus algorithm saved us 3 months of development timeRobert Wojciechowski
 

Recommended

RecSplit Minimal Perfect Hashing
RecSplit Minimal Perfect HashingRecSplit Minimal Perfect Hashing
RecSplit Minimal Perfect HashingThomas Mueller
 
証明駆動開発のたのしみ@名古屋reject会議
証明駆動開発のたのしみ@名古屋reject会議証明駆動開発のたのしみ@名古屋reject会議
証明駆動開発のたのしみ@名古屋reject会議Hiroki Mizuno
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
Network & Filesystem: Doing less cross rings memory copy
Network & Filesystem: Doing less cross rings memory copyNetwork & Filesystem: Doing less cross rings memory copy
Network & Filesystem: Doing less cross rings memory copyScaleway
 
Slide smallfiles
Slide smallfilesSlide smallfiles
Slide smallfilesrledisez
 
Scaling Up Logging and Metrics
Scaling Up Logging and MetricsScaling Up Logging and Metrics
Scaling Up Logging and MetricsRicardo Lourenço
 
Distributed System by Pratik Tambekar
Distributed System by Pratik TambekarDistributed System by Pratik Tambekar
Distributed System by Pratik TambekarPratik Tambekar
 
How choosing the Raft consensus algorithm saved us 3 months of development time
How choosing the Raft consensus algorithm saved us 3 months of development timeHow choosing the Raft consensus algorithm saved us 3 months of development time
How choosing the Raft consensus algorithm saved us 3 months of development timeRobert Wojciechowski
 
CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxSam Bowne
 
.NET Memory Primer
.NET Memory Primer.NET Memory Primer
.NET Memory PrimerMartin Kulov
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Hash Functions FTW
Hash Functions FTWHash Functions FTW
Hash Functions FTWsunnygleason
 
The Directions Pipeline at Mapbox - AWS Meetup Berlin June 2015
The Directions Pipeline at Mapbox - AWS Meetup Berlin June 2015The Directions Pipeline at Mapbox - AWS Meetup Berlin June 2015
The Directions Pipeline at Mapbox - AWS Meetup Berlin June 2015Johan
 
Probabilistic data structures. Part 2. Cardinality
Probabilistic data structures. Part 2. CardinalityProbabilistic data structures. Part 2. Cardinality
Probabilistic data structures. Part 2. CardinalityAndrii Gakhov
 
FOSDEM2015: Live migration for containers is around the corner
FOSDEM2015: Live migration for containers is around the cornerFOSDEM2015: Live migration for containers is around the corner
FOSDEM2015: Live migration for containers is around the cornerAndrey Vagin
 
Memory manament in C
Memory manament in CMemory manament in C
Memory manament in CVu Dang Ngoc
 
Reactive Extensions
Reactive ExtensionsReactive Extensions
Reactive ExtensionsDmitri Nesteruk
 
Checkpoint/restore of containers with CRIU
Checkpoint/restore of containers with CRIUCheckpoint/restore of containers with CRIU
Checkpoint/restore of containers with CRIUOpenVZ
 
15 - Streams
15 - Streams15 - Streams
15 - StreamsThe World of Smalltalk
 
High Performance Systems Without Tears - Scala Days Berlin 2018
High Performance Systems Without Tears - Scala Days Berlin 2018High Performance Systems Without Tears - Scala Days Berlin 2018
High Performance Systems Without Tears - Scala Days Berlin 2018Zahari Dichev
 
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...Fluence Labs
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuNETWAYS
 
실시간 인벤트 처리
실시간 인벤트 처리실시간 인벤트 처리
실시간 인벤트 처리Byeongweon Moon
 
Storage Simplified NFS LXC K3S
Storage Simplified NFS LXC K3SStorage Simplified NFS LXC K3S
Storage Simplified NFS LXC K3SShailesh Thakur
 
Cassandra at talkbits
Cassandra at talkbitsCassandra at talkbits
Cassandra at talkbitsMax Alexejev
 
Memory Management & Garbage Collection
Memory Management & Garbage CollectionMemory Management & Garbage Collection
Memory Management & Garbage CollectionAbhishek Sur
 
Everything I Ever Learned About JVM Performance Tuning @Twitter
Everything I Ever Learned About JVM Performance Tuning @TwitterEverything I Ever Learned About JVM Performance Tuning @Twitter
Everything I Ever Learned About JVM Performance Tuning @TwitterAttila Szegedi
 
Bohan pac sec_2016
Bohan pac sec_2016Bohan pac sec_2016
Bohan pac sec_2016PacSecJP
 
4 dynamic memory allocation
4 dynamic memory allocation4 dynamic memory allocation
4 dynamic memory allocationFrijo Francis
 
CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)Sam Bowne
 

More Related Content

What's hot

CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxSam Bowne
 
.NET Memory Primer
.NET Memory Primer.NET Memory Primer
.NET Memory PrimerMartin Kulov
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingAngel Boy
 
Hash Functions FTW
Hash Functions FTWHash Functions FTW
Hash Functions FTWsunnygleason
 
The Directions Pipeline at Mapbox - AWS Meetup Berlin June 2015
The Directions Pipeline at Mapbox - AWS Meetup Berlin June 2015The Directions Pipeline at Mapbox - AWS Meetup Berlin June 2015
The Directions Pipeline at Mapbox - AWS Meetup Berlin June 2015Johan
 
Probabilistic data structures. Part 2. Cardinality
Probabilistic data structures. Part 2. CardinalityProbabilistic data structures. Part 2. Cardinality
Probabilistic data structures. Part 2. CardinalityAndrii Gakhov
 
FOSDEM2015: Live migration for containers is around the corner
FOSDEM2015: Live migration for containers is around the cornerFOSDEM2015: Live migration for containers is around the corner
FOSDEM2015: Live migration for containers is around the cornerAndrey Vagin
 
Memory manament in C
Memory manament in CMemory manament in C
Memory manament in CVu Dang Ngoc
 
Checkpoint/restore of containers with CRIU
Checkpoint/restore of containers with CRIUCheckpoint/restore of containers with CRIU
Checkpoint/restore of containers with CRIUOpenVZ
 
High Performance Systems Without Tears - Scala Days Berlin 2018
High Performance Systems Without Tears - Scala Days Berlin 2018High Performance Systems Without Tears - Scala Days Berlin 2018
High Performance Systems Without Tears - Scala Days Berlin 2018Zahari Dichev
 
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...Fluence Labs
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuNETWAYS
 
실시간 인벤트 처리
실시간 인벤트 처리실시간 인벤트 처리
실시간 인벤트 처리Byeongweon Moon
 
Storage Simplified NFS LXC K3S
Storage Simplified NFS LXC K3SStorage Simplified NFS LXC K3S
Storage Simplified NFS LXC K3SShailesh Thakur
 
Cassandra at talkbits
Cassandra at talkbitsCassandra at talkbits
Cassandra at talkbitsMax Alexejev
 

What's hot (17)

CNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on LinuxCNIT 127 Ch 2: Stack overflows on Linux
CNIT 127 Ch 2: Stack overflows on Linux
 
.NET Memory Primer
.NET Memory Primer.NET Memory Primer
.NET Memory Primer
 
Linux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend ProgramingLinux Binary Exploitation - Return-oritend Programing
Linux Binary Exploitation - Return-oritend Programing
 
Hash Functions FTW
Hash Functions FTWHash Functions FTW
Hash Functions FTW
 
The Directions Pipeline at Mapbox - AWS Meetup Berlin June 2015
The Directions Pipeline at Mapbox - AWS Meetup Berlin June 2015The Directions Pipeline at Mapbox - AWS Meetup Berlin June 2015
The Directions Pipeline at Mapbox - AWS Meetup Berlin June 2015
 
Probabilistic data structures. Part 2. Cardinality
Probabilistic data structures. Part 2. CardinalityProbabilistic data structures. Part 2. Cardinality
Probabilistic data structures. Part 2. Cardinality
 
FOSDEM2015: Live migration for containers is around the corner
FOSDEM2015: Live migration for containers is around the cornerFOSDEM2015: Live migration for containers is around the corner
FOSDEM2015: Live migration for containers is around the corner
 
Memory manament in C
Memory manament in CMemory manament in C
Memory manament in C
 
Reactive Extensions
Reactive ExtensionsReactive Extensions
Reactive Extensions
 
Checkpoint/restore of containers with CRIU
Checkpoint/restore of containers with CRIUCheckpoint/restore of containers with CRIU
Checkpoint/restore of containers with CRIU
 
15 - Streams
15 - Streams15 - Streams
15 - Streams
 
High Performance Systems Without Tears - Scala Days Berlin 2018
High Performance Systems Without Tears - Scala Days Berlin 2018High Performance Systems Without Tears - Scala Days Berlin 2018
High Performance Systems Without Tears - Scala Days Berlin 2018
 
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
Fast, deterministic, and verifiable computations with WebAssembly. WASM on th...
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
 
실시간 인벤트 처리
실시간 인벤트 처리실시간 인벤트 처리
실시간 인벤트 처리
 
Storage Simplified NFS LXC K3S
Storage Simplified NFS LXC K3SStorage Simplified NFS LXC K3S
Storage Simplified NFS LXC K3S
 
Cassandra at talkbits
Cassandra at talkbitsCassandra at talkbits
Cassandra at talkbits
 

Similar to A survey on Heap Exploitation

Memory Management & Garbage Collection
Memory Management & Garbage CollectionMemory Management & Garbage Collection
Memory Management & Garbage CollectionAbhishek Sur
 
Everything I Ever Learned About JVM Performance Tuning @Twitter
Everything I Ever Learned About JVM Performance Tuning @TwitterEverything I Ever Learned About JVM Performance Tuning @Twitter
Everything I Ever Learned About JVM Performance Tuning @TwitterAttila Szegedi
 
Bohan pac sec_2016
Bohan pac sec_2016Bohan pac sec_2016
Bohan pac sec_2016PacSecJP
 
4 dynamic memory allocation
4 dynamic memory allocation4 dynamic memory allocation
4 dynamic memory allocationFrijo Francis
 
CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)Sam Bowne
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on LinuxSam Bowne
 
Computer organization memory hierarchy
Computer organization memory hierarchyComputer organization memory hierarchy
Computer organization memory hierarchyAJAL A J
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxSam Bowne
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationAngel Boy
 
Beirut Java User Group JVM presentation
Beirut Java User Group JVM presentationBeirut Java User Group JVM presentation
Beirut Java User Group JVM presentationMahmoud Anouti
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeSam Bowne
 
Fabian Hueske – Juggling with Bits and Bytes
Fabian Hueske – Juggling with Bits and BytesFabian Hueske – Juggling with Bits and Bytes
Fabian Hueske – Juggling with Bits and BytesFlink Forward
 
Fast, deterministic, and verifiable computations with WebAssembly
Fast, deterministic, and verifiable computations with WebAssemblyFast, deterministic, and verifiable computations with WebAssembly
Fast, deterministic, and verifiable computations with WebAssemblyFluence Labs
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeSam Bowne
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeSam Bowne
 
It's the memory, stupid! CodeJam 2014
It's the memory, stupid! CodeJam 2014It's the memory, stupid! CodeJam 2014
It's the memory, stupid! CodeJam 2014Francesc Alted
 

Similar to A survey on Heap Exploitation (20)

Memory Management & Garbage Collection
Memory Management & Garbage CollectionMemory Management & Garbage Collection
Memory Management & Garbage Collection
 
Everything I Ever Learned About JVM Performance Tuning @Twitter
Everything I Ever Learned About JVM Performance Tuning @TwitterEverything I Ever Learned About JVM Performance Tuning @Twitter
Everything I Ever Learned About JVM Performance Tuning @Twitter
 
Bohan pac sec_2016
Bohan pac sec_2016Bohan pac sec_2016
Bohan pac sec_2016
 
4 dynamic memory allocation
4 dynamic memory allocation4 dynamic memory allocation
4 dynamic memory allocation
 
CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)CNIT 127: Ch 8: Windows overflows (Part 2)
CNIT 127: Ch 8: Windows overflows (Part 2)
 
127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux127 Ch 2: Stack overflows on Linux
127 Ch 2: Stack overflows on Linux
 
Understanding low latency jvm gcs
Understanding low latency jvm gcsUnderstanding low latency jvm gcs
Understanding low latency jvm gcs
 
GC in C#
GC in C#GC in C#
GC in C#
 
Computer organization memory hierarchy
Computer organization memory hierarchyComputer organization memory hierarchy
Computer organization memory hierarchy
 
CNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on LinuxCNIT 127: Ch 2: Stack overflows on Linux
CNIT 127: Ch 2: Stack overflows on Linux
 
Hoard_2022AIM1001.pptx.pdf
Hoard_2022AIM1001.pptx.pdfHoard_2022AIM1001.pptx.pdf
Hoard_2022AIM1001.pptx.pdf
 
MacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) ExploitationMacOS memory allocator (libmalloc) Exploitation
MacOS memory allocator (libmalloc) Exploitation
 
Beirut Java User Group JVM presentation
Beirut Java User Group JVM presentationBeirut Java User Group JVM presentation
Beirut Java User Group JVM presentation
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 
L6.sp17.pptx
L6.sp17.pptxL6.sp17.pptx
L6.sp17.pptx
 
Fabian Hueske – Juggling with Bits and Bytes
Fabian Hueske – Juggling with Bits and BytesFabian Hueske – Juggling with Bits and Bytes
Fabian Hueske – Juggling with Bits and Bytes
 
Fast, deterministic, and verifiable computations with WebAssembly
Fast, deterministic, and verifiable computations with WebAssemblyFast, deterministic, and verifiable computations with WebAssembly
Fast, deterministic, and verifiable computations with WebAssembly
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: Shellcode
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 
It's the memory, stupid! CodeJam 2014
It's the memory, stupid! CodeJam 2014It's the memory, stupid! CodeJam 2014
It's the memory, stupid! CodeJam 2014
 

More from Alireza Karimi

Android ransomware detection
Android ransomware detectionAndroid ransomware detection
Android ransomware detectionAlireza Karimi
 
Aclusteringtechniquefornews articlesusingWordNet-AlirezaKarimi
Aclusteringtechniquefornews articlesusingWordNet-AlirezaKarimiAclusteringtechniquefornews articlesusingWordNet-AlirezaKarimi
Aclusteringtechniquefornews articlesusingWordNet-AlirezaKarimiAlireza Karimi
 

More from Alireza Karimi (6)

Android ransomware detection
Android ransomware detectionAndroid ransomware detection
Android ransomware detection
 
Sequence Alignment
Sequence AlignmentSequence Alignment
Sequence Alignment
 
Game Desgin With UDK
Game Desgin With UDKGame Desgin With UDK
Game Desgin With UDK
 
Game Desgin With UDK
Game Desgin With UDKGame Desgin With UDK
Game Desgin With UDK
 
GpuInCloud
GpuInCloudGpuInCloud
GpuInCloud
 
Aclusteringtechniquefornews articlesusingWordNet-AlirezaKarimi
Aclusteringtechniquefornews articlesusingWordNet-AlirezaKarimiAclusteringtechniquefornews articlesusingWordNet-AlirezaKarimi
Aclusteringtechniquefornews articlesusingWordNet-AlirezaKarimi
 

Recently uploaded

A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfnehabiju2046
 
Analytical Profile of Coleus Forskohlii | Forskolin .pptx
Analytical Profile of Coleus Forskohlii | Forskolin .pptxAnalytical Profile of Coleus Forskohlii | Forskolin .pptx
Analytical Profile of Coleus Forskohlii | Forskolin .pptxSwapnil Therkar
 
Cultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxCultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxpradhanghanshyam7136
 
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...anilsa9823
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...RohitNehra6
 
Artificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PArtificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PPRINCE C P
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRDelhi Call girls
 
G9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.pptG9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.pptMAESTRELLAMesa2
 
Natural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsNatural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsAArockiyaNisha
 
Call Girls in Munirka Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Munirka Delhi 💯Call Us 🔝8264348440🔝Call Girls in Munirka Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Munirka Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...jana861314
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​kaibalyasahoo82800
 
zoogeography of pakistan.pptx fauna of Pakistan
zoogeography of pakistan.pptx fauna of Pakistanzoogeography of pakistan.pptx fauna of Pakistan
zoogeography of pakistan.pptx fauna of Pakistanzohaibmir069
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxanandsmhk
 
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxSOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxkessiyaTpeter
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsSérgio Sacani
 
GFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxGFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxAleenaTreesaSaji
 
Scheme-of-Work-Science-Stage-4 cambridge science.docx
Scheme-of-Work-Science-Stage-4 cambridge science.docxScheme-of-Work-Science-Stage-4 cambridge science.docx
Scheme-of-Work-Science-Stage-4 cambridge science.docxyaramohamed343013
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Patrick Diehl
 

Recently uploaded (20)

A relative description on Sonoporation.pdf
A relative description on Sonoporation.pdfA relative description on Sonoporation.pdf
A relative description on Sonoporation.pdf
 
Analytical Profile of Coleus Forskohlii | Forskolin .pptx
Analytical Profile of Coleus Forskohlii | Forskolin .pptxAnalytical Profile of Coleus Forskohlii | Forskolin .pptx
Analytical Profile of Coleus Forskohlii | Forskolin .pptx
 
Cultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptxCultivation of KODO MILLET . made by Ghanshyam pptx
Cultivation of KODO MILLET . made by Ghanshyam pptx
 
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
Lucknow 💋 Russian Call Girls Lucknow Finest Escorts Service 8923113531 Availa...
 
Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...Biopesticide (2).pptx .This slides helps to know the different types of biop...
Biopesticide (2).pptx .This slides helps to know the different types of biop...
 
Artificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PArtificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C P
 
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCRStunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
Stunning ➥8448380779▻ Call Girls In Panchshil Enclave Delhi NCR
 
G9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.pptG9 Science Q4- Week 1-2 Projectile Motion.ppt
G9 Science Q4- Week 1-2 Projectile Motion.ppt
 
Natural Polymer Based Nanomaterials
Natural Polymer Based NanomaterialsNatural Polymer Based Nanomaterials
Natural Polymer Based Nanomaterials
 
Call Girls in Munirka Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Munirka Delhi 💯Call Us 🔝8264348440🔝Call Girls in Munirka Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Munirka Delhi 💯Call Us 🔝8264348440🔝
 
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
Traditional Agroforestry System in India- Shifting Cultivation, Taungya, Home...
 
Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​Nanoparticles synthesis and characterization​ ​
Nanoparticles synthesis and characterization​ ​
 
zoogeography of pakistan.pptx fauna of Pakistan
zoogeography of pakistan.pptx fauna of Pakistanzoogeography of pakistan.pptx fauna of Pakistan
zoogeography of pakistan.pptx fauna of Pakistan
 
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptxUnlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
Unlocking the Potential: Deep dive into ocean of Ceramic Magnets.pptx
 
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxSOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
 
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroidsHubble Asteroid Hunter III. Physical properties of newly found asteroids
Hubble Asteroid Hunter III. Physical properties of newly found asteroids
 
The Philosophy of Science
The Philosophy of ScienceThe Philosophy of Science
The Philosophy of Science
 
GFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptxGFP in rDNA Technology (Biotechnology).pptx
GFP in rDNA Technology (Biotechnology).pptx
 
Scheme-of-Work-Science-Stage-4 cambridge science.docx
Scheme-of-Work-Science-Stage-4 cambridge science.docxScheme-of-Work-Science-Stage-4 cambridge science.docx
Scheme-of-Work-Science-Stage-4 cambridge science.docx
 
Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?Is RISC-V ready for HPC workload? Maybe?
Is RISC-V ready for HPC workload? Maybe?
 

A survey on Heap Exploitation

  • 1. A survey on Heap Exploitation Base on the glibc heap implementation 1
  • 2. What we talk about • Introduction • Glibc Heap • Exploitation • RealWorld • Conclusion Table 2
  • 4. Memory Heap or Stack that is the question • Memory Space type • Stack • Heap • Heap used to dynamic memory allocation • Heap or stack? 4
  • 6. Glibc What is that? • GNU C library • Memory Allocation • malloc() , free() 6
  • 8. First things first • Smallest Allocation • Some overhead for metadata • Metadata store alongside user data • Different structure when freed(Use data section to store some metadata) Chunk 8
  • 9. • A reserved big chunk at top of the heap • Used to create new chunks when request arrives • Size is 0x21000 TopChunk 9
  • 10. How manage free chunks? 10
  • 11. The lists to rule them all • Single list? • Performance issues • Organize them on different lists • 127 list+Fast bins+Tcache bins Bins 11
  • 12. • 62 list • Chunk size below 1KB • Store same chunk fixed chunk size each • Double linked lists Small Bins 12
  • 13. • Over 1KB • 63 Lists • Double linked lists • Size is in a range • Need to manually sort • Slower than small bins Large Bins 13
  • 14. • 1 List for optimization • Merge freed chunk with neighbours or top chunk • Any chunk size • Also ,it can split chunks Unsorted bin 14
  • 15. • 10 lists, single size • Single link list • Keep chunks alive, not truly free • Chunks does not merge with neighbours • Need flush memory after a while , because , memory become fragmented Fast Bins 15
  • 16. • Per-Thread • 64 lists • 7 chunks same size each • Added since Glibc-2.26 • Avoid locks and race conditions • First place to search T-cache 16
  • 17. A place to keep them all • An improvement for heap access • Different threads have different Arenas • So each thread has a separate heap area to allocate chunks • So thread can work simultaneously without need to lock • 2*Number of CPU core in 32-bits • 8*Number of CPU core in 64-bits Arena 17
  • 18. Put it all together How the heap works? 18
  • 19. Allocation In a simple algorithm • Allocation from previously freed chunks which organised in the bins 19 Bins
  • 20. Allocation In a simple algorithm • Allocation from previously freed chunks which organised in the bins • Allocation from top of the heap (Top chunk) 20 Top Chunk Bins
  • 21. Allocation In a simple algorithm • Allocation from previously freed chunks which organised in the bins • Allocation from top of the heap (Top chunk) • Asking for more memory (MMAP) 21 Top Chunk Bins mmap()
  • 23. malloc() Where? 1. T-cache bins is first place 2. Fetch corresponding arena and lock it 3. Check the fast bins and fill t-cache at the same time 4. Check the small bins and fill t-cache at the same time 5. Consolidate fast bins (Flush memory , Merge with neighbours , move their consolidated chunks to the unsorted bin) 6. Check unsorted bin , Stop if a suitable chunk found , otherwise ,Move chunk to small/large bins 7. Check large bins 8. Top chunk 9. Call mmap() 23
  • 24. mmap() I need much more • Large amount of memory • Chunks metadata has a flag for it • Start from 128KB, then, grows to 512KB 24
  • 25. What happens if the requested size is larger than the Top chunk but smaller than the mmap () threshold? 25
  • 26. The heap manager move the current top to a bin, then, a new top chunk is allocated 26
  • 27. calloc() Clean it for me • Zero-out • NO T-cache! 27
  • 28. free() Do not need anymore • Check mmap flag • Check size (MINSIZE) • Check 16-B alignment • Put it back to corresponding bin 28
  • 30. It is already free • Allocate 3 chunk of data • Release one of them twice • Heap can detect memory corruption if we free same chunk twice in a row • We have to bypass security check by freeing a second chunk in the middle Double Free 30
  • 31. Return my location • Use a pointer to free chunk to manipulate heap structure • Create a fake chunk wherever we want like stack • Heap has security check on chunk size • Modify the forward pointer of free chunk (UAF) • Remove free chunk from top of list • Next allocation return our forged chunk Forged Chunk 31
  • 32. Write somewhere • Abuse ‘’bk’’ pointer • We don’t have control over data • We can control location Unsorted bin attack 32
  • 33. • Write data on a controlled location Large bin attack 33
  • 35. The Malloc Maleficarum ‘It is for this reason, a small suggestion of impossibility, that I present the Malloc Maleficarum’ 35
  • 36. The original ones • The house of mind • The house of prime • The house of spirit • The house of force • The house of lore • The house of underground The houses 36
  • 38. • A simple application to execute some simple command • The goal is login to system • ‘’Login’’ command check the value inside ‘’auth->auth’’ • As we can see , the value of ‘’auth->auth’’ never assign inside the application 38
  • 39. ‘’ I shall either find a way or make one ‘’ 39
  • 41. • The ‘’auth’’ object has been freed but , it does not zero out • The pointer to the ‘’auth’’ memory space still available inside application • It is a Use-after-free attack UAF 41
  • 43. A heap base function • The strdup() function returns a pointer to a new string which is a duplicate of the string s. Memory for the new string is obtained with malloc(), and can be freed with free(). • This function can used freed chunk inside the heap/bins strdup() 43
  • 44. Put it all together 44
  • 45. • Send ‘’auth’’ command , this command allocate a chunk inside the heap • We can see the address of allocated chunk 45 Allocated Free chunks auth
  • 46. • Send ‘’reset’’ command , this command freeing the ‘’auth’’ • However the pointer is available 46 Allocated Free chunks auth
  • 47. • Send ‘’service’’ command , This command use heap , as a result , the first freed chunk return by heap manager , in this case ‘’auth’’ • As we can see , both ‘’auth’’ and ‘’service’’ object has the same address 47 Allocated Free chunks auth & service
  • 50. CVE-2021-3156 • Super-User-Do • Get root privilege without authorisation • Heap based overflow Sudo 50
  • 52. • We have discussed heap implementation and various types of attacks on heap memory allocation • The heap is a very complex memory that must used carefully • Various patches and optimisations have been implement through years , however, attack is still possible 52
  • 53. Thank you for your attention 53