SlideShare a Scribd company logo
CODE BLUE 2016.10.20
@st4g3r
Hiroki MATSUKUMA
(@st4g3r)
Newbie Pentester
 Cyber Defense Institute, Inc.
CTF Player
 TokyoWesterns
My interests include
 Exploitation
 Glibc malloc (currently)
$whoami
tl;dr
Heap Exploitation(x64 Linux/Glibc malloc)
What's "House of Einherjar" ?
 This is a new heap exploitation technique that forces
glibc malloc() to return a nearly-arbitrary address.
 User is ordinarily able to read/write to the address
returned by malloc().
 The concept is abusing consolidating chunks to
prevent from the fragmentation.
 Off-by-one Overflow on well-sized chunk leads both control
of prev_size and PREV_INUSE bit of the next chunk.
Proof of Concept
 http://ux.nu/6Rv6h
Overview
Glibc malloc
 Chunk
 Bin
 Consolidating Chunks
House of Einherjar
 Flaw / Flow
 Demo
 Evaluation
 Countermeasures
"struct malloc_chunk"
 A memory block joins free list after being free()'ed.
 free()'ed block is treated as "struct malloc_chunk".
 The size of a chunk is aligned on SIZE_SZ*2 bytes.
(prev_size)
size
fd
bk
(not used)
(prev_size)
size
data
+
pads
SIZE_SZ
=8byte
User's
space
(a) in-used (b) free
Fig. 1 struct malloc_chunk
Shared with
previous chunk
Glibc malloc Chunk
TYPE NAME DESCRIPTION
INTERNAL_SIZE_T prev_size Size of previously contigous chunk (shared)
INTERNAL_SIZE_T size Size of itself and its current status
struct malloc_chunk *fd Pointer to forwardly linked chunk (free list).
struct malloc_chunk *bk Pointer to backwardly linked chunk (free list).
Glibc malloc Chunk
Table 1: struct malloc_chunk
"struct malloc_chunk"
 A memory block joins free list after being free()'ed.
 It is ordinarily treated as "struct malloc_chunk".
 The size of a chunk is aligned on SIZE_SZ*2 bytes.
(prev_size)
size
fd
bk
(not used)
(prev_size)
size
data
+
pads
SIZE_SZ
=8byte
PMA
User's
space
(a) in-used (b) free
Fig. 1 struct malloc_chunk
Low 3 bits
mean chunk
status
Glibc malloc Chunk
Shared with
previous chunk
"struct malloc_chunk"
 A memory block joins free list after being free()'ed.
 It is ordinarily treated as "struct malloc_chunk".
 The size of a chunk is aligned on SIZE_SZ*2 bytes.
(prev_size)
size
fd
bk
(not used)
(prev_size)
size
data
+
pads
SIZE_SZ
=8byte
PMA
User's
space
(a) in-used (b) free
Fig. 1 struct malloc_chunk
Low 3 bits
mean chunk
status
 [P]REV_INUSE
 IS_[M]MAPPED
 NON_MAIN_[A]RENA
Glibc malloc Chunk
Shared with
previous chunk
Glibc malloc Bin
A free chunk belongs to free list(bin).
 Small bins
 MAX_FAST_SIZE < size < MIN_LARGE_SIZE
 MAX_FAST_SIZE: 0xa0
 MIN_LARGE_SIZE: 0x400
 Unsorted bins
 The chunk which has just free()'ed temporarily belongs to
this list.
 There is no size restriction.
(prev_size)
size
fd
bk
(not used)
bins[n-1]
bins[n]
bins[n+1]
FD
BK
Fig 2. Small bin free list
bins
c
struct malloc_chunk
PMA
Glibc malloc Bin
Glibc malloc Consolidating Chunks
It can easily cause fragmentation owing
to frequent allocations and vice versa.
 Let's consider consolidating the chunk being free()'ed
and already free()'ed contiguous chunk.
 Previous contiguous.
 Next contiguous.
PREV_INUSE bit
 The flag for distinguishing whether the previous
contiguous chunk is in used or not.
 This is the sole criterion for the consolidating.
Glibc malloc Consolidating Chunks
Where is the flow of chunk consolidating?
 Let's read glibc!
 free(p)
 __libc_free(p)
 _int_free(av, p, have_lock) <- THIS!
(a) Entry point
Fig. 3 _int_free()
(b) Consolidating point
Fig. 3 _int_free()
(c) End point
Fig. 3 _int_free()
Glibc malloc Consolidating Chunks
(prev_size)
size
(a) Test prev_inuse
Fig. 4 Consolidating
size = p->size
If not prev_inuse(p):
prevsize = p->prev_size
size += prevsize
p += -(long)(prevsize)
fd
bk
(not used)
(prev_size)
size 0
data
+
pads
p
prev
p
Glibc malloc Consolidating Chunks
(prev_size)
size
(b) Relocation
Fig. 4 Consolidating
size = p->size
If not prev_inuse(p):
prevsize = p->prev_size
size += prevsize
p += -(long)(prevsize)
p
p
fd
bk
(not used)
(prev_size)
size 0
data
+
pads
prev
p
Glibc malloc Consolidating Chunks
(prev_size)
size 1
p
(c) New chunk
Fig. 4 Consolidating
p
(prev_size)
size
fd
bk
(not used)
fd
bk
(not used)
(prev_size)
size 0
data
+
pads
p
prev
p
House of Einherjar Flaw / Flow
Our current knowledge
 "p->prev_size" can be shared with previous contiguous
chunk.
 PREV_INUSE bit of "p->size" decides whether the two
contiguous chunks will be consolidated or not.
 New location of p depends on "p->prev_size".
 "p = chunk_at_offset(p, -((long)prevsize))"
House of Einherjar Flaw / Flow
Our current knowledge
 "p->prev_size" can be shared with previous contiguous
chunk.
 PREV_INUSE bit of "p->size" decides whether the two
contiguous chunks will be consolidated or not.
 New location of p depends on "p->prev_size".
 "p = chunk_at_offset(p, -((long)prevsize))"
Assumptions for House of Einherjar
 Three chunks.
 p0: the well-sized chunk(includes p1->prev_size).
 p1: the small bin sized chunk.
 (p2: the chunk to prevent from calling malloc_consolidate()).
 p0 will be Off-by-one(OBO) poisoned by NUL byte('¥0').
House of Einherjar Flaw / Flow
(prev_size)
size
data
(prev_size)
size
data
+
pads
1
(a) Before overflowing
Fig. 5 The House of Einherjar
shared
p0 (used)
p1 (used)
well-sized
House of Einherjar Flaw / Flow
(prev_size)
size
data
(prev_size)
size
data
+
pads
1
(b) Overflowing
Fig. 5 The House of Einherjar
Overflown
House of Einherjar Flaw / Flow
(prev_size)
size
data
0xdeadbeef
size
data
+
pads
'¥0'
(c) After overflowing
Fig. 5 The House of Einherjar
well-sized p0 (free)
p1 (used)
shared
House of Einherjar Flaw / Flow
(prev_size)
size
data
0xdeadbeef
size
data
+
pads
'¥0'
(c) After overflowing
Fig. 5 The House of Einherjar
well-sized p0 (free)
p1 (used)
sharedsize = p1->size
If not prev_inuse(p1):
prevsize = p1->prev_size
size += prevsize
p1 += -(long)(prevsize)
House of Einherjar Flaw / Flow
(prev_size)
size
data
0xdeadbeef
size
data
+
pads
'¥0'
(c) After overflowing
Fig. 5 The House of Einherjar
well-sized p0 (free)
p1 (used)
sharedsize = p1->size
If not prev_inuse(p1):
prevsize = 0xdeadbeef
size += prevsize
p1 += -(long)(prevsize)
House of Einherjar Flaw / Flow
How to enter into House of Einherjar
 The well-sized chunk will occur OBO Overflow into the
next chunk.
 We can put a fake chunk near the target area.
 For easy, we should make fd and bk members of fake
chunk to point to the fake chunk's self.
 We have to be able to calculate the diff between the
target area and "p1".
 Leaking the two addresses is required.
 We have to be able to fix "p1->size" broken by
free()'ing.
 On the assumption that we can write to the fake chunk
anytime.
Demo
http://ux.nu/6Rv6h
House of Einherjar Evaluation
Merit
 It depends on application's memory layout but only
OBO Overflow is required
 Huge malloc() like "House of Force" is not required.
Demerit
 The target area will be limited on the location of the
fake chunk.
 The leaking the two addresses is necessary.
Evaluation: "Not so bad"
House of Einherjar Countermeasures
"struct malloc_chunk" is NOT good
 "chunk->prev_size" SHOULD NOT be overwritable by
normal writes to a chunk.
 It uses Boundary Tag Algorithm. (It is what it is!)
Countermeasures?
 Address checking
 Is the consolidated chunk address valid?
 Stack and heap address spaces are completely different.
 It is possible to save a return address.
 But that cannot be the solution for House of Einherjar to
heap address space.
Thank You For Your Attention!
Any Questions?

More Related Content

Viewers also liked

Exploiting Memory Overflows
Exploiting Memory OverflowsExploiting Memory Overflows
Exploiting Memory Overflows
Ankur Tyagi
 
[CB16] マイクロソフトウィンドウズカーネルのデスノート by Peter Hlavaty & Jin Long
[CB16] マイクロソフトウィンドウズカーネルのデスノート by Peter Hlavaty & Jin Long[CB16] マイクロソフトウィンドウズカーネルのデスノート by Peter Hlavaty & Jin Long
[CB16] マイクロソフトウィンドウズカーネルのデスノート by Peter Hlavaty & Jin Long
CODE BLUE
 
[CB16] Cyber Grand Challenge (CGC) : 世界初のマシン同士の全自動ハッキングトーナメント by Tyler Nighsw...
[CB16] Cyber Grand Challenge (CGC) : 世界初のマシン同士の全自動ハッキングトーナメント by Tyler Nighsw...[CB16] Cyber Grand Challenge (CGC) : 世界初のマシン同士の全自動ハッキングトーナメント by Tyler Nighsw...
[CB16] Cyber Grand Challenge (CGC) : 世界初のマシン同士の全自動ハッキングトーナメント by Tyler Nighsw...
CODE BLUE
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
CODE BLUE
 
[CB16] Be a Binary Rockstar: An Introduction to Program Analysis with Binary ...
[CB16] Be a Binary Rockstar: An Introduction to Program Analysis with Binary ...[CB16] Be a Binary Rockstar: An Introduction to Program Analysis with Binary ...
[CB16] Be a Binary Rockstar: An Introduction to Program Analysis with Binary ...
CODE BLUE
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
_mr_me
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
__x86
 
[CB16] バイナリロックスターになる:Binary Ninjaによるプログラム解析入門 by Sophia D’Antoine
[CB16] バイナリロックスターになる:Binary Ninjaによるプログラム解析入門 by Sophia D’Antoine[CB16] バイナリロックスターになる:Binary Ninjaによるプログラム解析入門 by Sophia D’Antoine
[CB16] バイナリロックスターになる:Binary Ninjaによるプログラム解析入門 by Sophia D’Antoine
CODE BLUE
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Priyanka Aash
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
Angel Boy
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
Mikhail Egorov
 
CNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsCNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflows
Sam Bowne
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
Bernardo Damele A. G.
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
Simone Onofri
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Sam Thomas
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
Daniel Bohannon
 
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
BlackHat USA 2011 - Stefan Esser - iOS Kernel ExploitationBlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
Stefan Esser
 

Viewers also liked (18)

Exploiting Memory Overflows
Exploiting Memory OverflowsExploiting Memory Overflows
Exploiting Memory Overflows
 
[CB16] マイクロソフトウィンドウズカーネルのデスノート by Peter Hlavaty & Jin Long
[CB16] マイクロソフトウィンドウズカーネルのデスノート by Peter Hlavaty & Jin Long[CB16] マイクロソフトウィンドウズカーネルのデスノート by Peter Hlavaty & Jin Long
[CB16] マイクロソフトウィンドウズカーネルのデスノート by Peter Hlavaty & Jin Long
 
[CB16] Cyber Grand Challenge (CGC) : 世界初のマシン同士の全自動ハッキングトーナメント by Tyler Nighsw...
[CB16] Cyber Grand Challenge (CGC) : 世界初のマシン同士の全自動ハッキングトーナメント by Tyler Nighsw...[CB16] Cyber Grand Challenge (CGC) : 世界初のマシン同士の全自動ハッキングトーナメント by Tyler Nighsw...
[CB16] Cyber Grand Challenge (CGC) : 世界初のマシン同士の全自動ハッキングトーナメント by Tyler Nighsw...
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
 
[CB16] Be a Binary Rockstar: An Introduction to Program Analysis with Binary ...
[CB16] Be a Binary Rockstar: An Introduction to Program Analysis with Binary ...[CB16] Be a Binary Rockstar: An Introduction to Program Analysis with Binary ...
[CB16] Be a Binary Rockstar: An Introduction to Program Analysis with Binary ...
 
How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012How to-catch-a-chameleon-steven seeley-ruxcon-2012
How to-catch-a-chameleon-steven seeley-ruxcon-2012
 
Final lfh presentation (3)
Final lfh presentation (3)Final lfh presentation (3)
Final lfh presentation (3)
 
[CB16] バイナリロックスターになる:Binary Ninjaによるプログラム解析入門 by Sophia D’Antoine
[CB16] バイナリロックスターになる:Binary Ninjaによるプログラム解析入門 by Sophia D’Antoine[CB16] バイナリロックスターになる:Binary Ninjaによるプログラム解析入門 by Sophia D’Antoine
[CB16] バイナリロックスターになる:Binary Ninjaによるプログラム解析入門 by Sophia D’Antoine
 
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attacDefcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
Defcon 22-paul-mcmillan-attacking-the-iot-using-timing-attac
 
Advanced heap exploitaion
Advanced heap exploitaionAdvanced heap exploitaion
Advanced heap exploitaion
 
ORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORMORM2Pwn: Exploiting injections in Hibernate ORM
ORM2Pwn: Exploiting injections in Hibernate ORM
 
CNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflowsCNIT 127 Ch 5: Introduction to heap overflows
CNIT 127 Ch 5: Introduction to heap overflows
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
ORM Injection
ORM InjectionORM Injection
ORM Injection
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
BlackHat USA 2011 - Stefan Esser - iOS Kernel ExploitationBlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
BlackHat USA 2011 - Stefan Esser - iOS Kernel Exploitation
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
CODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
CODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa  Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22]  Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22]  ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22]  「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by  高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...[cb22]  From Parroting to Echoing:  The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22]  Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Recently uploaded

Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 

Recently uploaded (20)

Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 

[CB16] House of Einherjar — Yet Another Heap Exploitation Technique on GLIBC by Hiroki Matsukuma

  • 2. Hiroki MATSUKUMA (@st4g3r) Newbie Pentester  Cyber Defense Institute, Inc. CTF Player  TokyoWesterns My interests include  Exploitation  Glibc malloc (currently) $whoami
  • 3. tl;dr Heap Exploitation(x64 Linux/Glibc malloc) What's "House of Einherjar" ?  This is a new heap exploitation technique that forces glibc malloc() to return a nearly-arbitrary address.  User is ordinarily able to read/write to the address returned by malloc().  The concept is abusing consolidating chunks to prevent from the fragmentation.  Off-by-one Overflow on well-sized chunk leads both control of prev_size and PREV_INUSE bit of the next chunk. Proof of Concept  http://ux.nu/6Rv6h
  • 4. Overview Glibc malloc  Chunk  Bin  Consolidating Chunks House of Einherjar  Flaw / Flow  Demo  Evaluation  Countermeasures
  • 5. "struct malloc_chunk"  A memory block joins free list after being free()'ed.  free()'ed block is treated as "struct malloc_chunk".  The size of a chunk is aligned on SIZE_SZ*2 bytes. (prev_size) size fd bk (not used) (prev_size) size data + pads SIZE_SZ =8byte User's space (a) in-used (b) free Fig. 1 struct malloc_chunk Shared with previous chunk Glibc malloc Chunk
  • 6. TYPE NAME DESCRIPTION INTERNAL_SIZE_T prev_size Size of previously contigous chunk (shared) INTERNAL_SIZE_T size Size of itself and its current status struct malloc_chunk *fd Pointer to forwardly linked chunk (free list). struct malloc_chunk *bk Pointer to backwardly linked chunk (free list). Glibc malloc Chunk Table 1: struct malloc_chunk
  • 7. "struct malloc_chunk"  A memory block joins free list after being free()'ed.  It is ordinarily treated as "struct malloc_chunk".  The size of a chunk is aligned on SIZE_SZ*2 bytes. (prev_size) size fd bk (not used) (prev_size) size data + pads SIZE_SZ =8byte PMA User's space (a) in-used (b) free Fig. 1 struct malloc_chunk Low 3 bits mean chunk status Glibc malloc Chunk Shared with previous chunk
  • 8. "struct malloc_chunk"  A memory block joins free list after being free()'ed.  It is ordinarily treated as "struct malloc_chunk".  The size of a chunk is aligned on SIZE_SZ*2 bytes. (prev_size) size fd bk (not used) (prev_size) size data + pads SIZE_SZ =8byte PMA User's space (a) in-used (b) free Fig. 1 struct malloc_chunk Low 3 bits mean chunk status  [P]REV_INUSE  IS_[M]MAPPED  NON_MAIN_[A]RENA Glibc malloc Chunk Shared with previous chunk
  • 9. Glibc malloc Bin A free chunk belongs to free list(bin).  Small bins  MAX_FAST_SIZE < size < MIN_LARGE_SIZE  MAX_FAST_SIZE: 0xa0  MIN_LARGE_SIZE: 0x400  Unsorted bins  The chunk which has just free()'ed temporarily belongs to this list.  There is no size restriction.
  • 10. (prev_size) size fd bk (not used) bins[n-1] bins[n] bins[n+1] FD BK Fig 2. Small bin free list bins c struct malloc_chunk PMA Glibc malloc Bin
  • 11. Glibc malloc Consolidating Chunks It can easily cause fragmentation owing to frequent allocations and vice versa.  Let's consider consolidating the chunk being free()'ed and already free()'ed contiguous chunk.  Previous contiguous.  Next contiguous. PREV_INUSE bit  The flag for distinguishing whether the previous contiguous chunk is in used or not.  This is the sole criterion for the consolidating.
  • 12. Glibc malloc Consolidating Chunks Where is the flow of chunk consolidating?  Let's read glibc!  free(p)  __libc_free(p)  _int_free(av, p, have_lock) <- THIS!
  • 13. (a) Entry point Fig. 3 _int_free()
  • 15. (c) End point Fig. 3 _int_free()
  • 16. Glibc malloc Consolidating Chunks (prev_size) size (a) Test prev_inuse Fig. 4 Consolidating size = p->size If not prev_inuse(p): prevsize = p->prev_size size += prevsize p += -(long)(prevsize) fd bk (not used) (prev_size) size 0 data + pads p prev p
  • 17. Glibc malloc Consolidating Chunks (prev_size) size (b) Relocation Fig. 4 Consolidating size = p->size If not prev_inuse(p): prevsize = p->prev_size size += prevsize p += -(long)(prevsize) p p fd bk (not used) (prev_size) size 0 data + pads prev p
  • 18. Glibc malloc Consolidating Chunks (prev_size) size 1 p (c) New chunk Fig. 4 Consolidating p (prev_size) size fd bk (not used) fd bk (not used) (prev_size) size 0 data + pads p prev p
  • 19. House of Einherjar Flaw / Flow Our current knowledge  "p->prev_size" can be shared with previous contiguous chunk.  PREV_INUSE bit of "p->size" decides whether the two contiguous chunks will be consolidated or not.  New location of p depends on "p->prev_size".  "p = chunk_at_offset(p, -((long)prevsize))"
  • 20. House of Einherjar Flaw / Flow Our current knowledge  "p->prev_size" can be shared with previous contiguous chunk.  PREV_INUSE bit of "p->size" decides whether the two contiguous chunks will be consolidated or not.  New location of p depends on "p->prev_size".  "p = chunk_at_offset(p, -((long)prevsize))" Assumptions for House of Einherjar  Three chunks.  p0: the well-sized chunk(includes p1->prev_size).  p1: the small bin sized chunk.  (p2: the chunk to prevent from calling malloc_consolidate()).  p0 will be Off-by-one(OBO) poisoned by NUL byte('¥0').
  • 21. House of Einherjar Flaw / Flow (prev_size) size data (prev_size) size data + pads 1 (a) Before overflowing Fig. 5 The House of Einherjar shared p0 (used) p1 (used) well-sized
  • 22. House of Einherjar Flaw / Flow (prev_size) size data (prev_size) size data + pads 1 (b) Overflowing Fig. 5 The House of Einherjar Overflown
  • 23. House of Einherjar Flaw / Flow (prev_size) size data 0xdeadbeef size data + pads '¥0' (c) After overflowing Fig. 5 The House of Einherjar well-sized p0 (free) p1 (used) shared
  • 24. House of Einherjar Flaw / Flow (prev_size) size data 0xdeadbeef size data + pads '¥0' (c) After overflowing Fig. 5 The House of Einherjar well-sized p0 (free) p1 (used) sharedsize = p1->size If not prev_inuse(p1): prevsize = p1->prev_size size += prevsize p1 += -(long)(prevsize)
  • 25. House of Einherjar Flaw / Flow (prev_size) size data 0xdeadbeef size data + pads '¥0' (c) After overflowing Fig. 5 The House of Einherjar well-sized p0 (free) p1 (used) sharedsize = p1->size If not prev_inuse(p1): prevsize = 0xdeadbeef size += prevsize p1 += -(long)(prevsize)
  • 26. House of Einherjar Flaw / Flow How to enter into House of Einherjar  The well-sized chunk will occur OBO Overflow into the next chunk.  We can put a fake chunk near the target area.  For easy, we should make fd and bk members of fake chunk to point to the fake chunk's self.  We have to be able to calculate the diff between the target area and "p1".  Leaking the two addresses is required.  We have to be able to fix "p1->size" broken by free()'ing.  On the assumption that we can write to the fake chunk anytime.
  • 28. House of Einherjar Evaluation Merit  It depends on application's memory layout but only OBO Overflow is required  Huge malloc() like "House of Force" is not required. Demerit  The target area will be limited on the location of the fake chunk.  The leaking the two addresses is necessary. Evaluation: "Not so bad"
  • 29. House of Einherjar Countermeasures "struct malloc_chunk" is NOT good  "chunk->prev_size" SHOULD NOT be overwritable by normal writes to a chunk.  It uses Boundary Tag Algorithm. (It is what it is!) Countermeasures?  Address checking  Is the consolidated chunk address valid?  Stack and heap address spaces are completely different.  It is possible to save a return address.  But that cannot be the solution for House of Einherjar to heap address space.
  • 30. Thank You For Your Attention! Any Questions?