Dobin 0x55_DefeatExploitMitigations_heap_intro.pdf
Dobin 0x55_DefeatExploitMitigations_heap_intro.pdf
Dobin 0x55_DefeatExploitMitigations_heap_intro.pdf
Kartei Details
| Karten | 12 |
|---|---|
| Sprache | English |
| Kategorie | Religion/Ethik |
| Stufe | Universität |
| Erstellt / Aktualisiert | 25.06.2019 / 25.06.2019 |
| Weblink |
https://card2brain.ch/box/20190625_dobin_0x55defeatexploitmitigationsheapintro_pdf
|
| Einbinden |
<iframe src="https://card2brain.ch/box/20190625_dobin_0x55defeatexploitmitigationsheapintro_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
What is the heap?
- malloc() allocations
- Fullfill allocating and deallocating of memory regions
- Dynamic memory (allocations at runtime)
- What is on the heap:
- Objects, big buffers, structs, persistence, large things
- Its slow, manually
What do the functions malloc() and free() do?
- malloc(): get a memory region
- free(): release a memory region
How does the heap work?
void *ptr;
ptr = malloc(len)
- Allocated "len" size memory block
- Returns a pointer to this memory block
free(ptr)
- Tells the memory allocator that the memory block can now be re-used
- Note: ptr is NOT NULL after free()
What does the heap allocator do?
the heap allocator does:
- allocate big memory pages from the OS
- Mange these pages
- Split the pages into smaller chunks
- Make these chunks available to the program
Where is the heap relative to the stack, and in what direction does it grow?
How are memory pages brocken down in the heap?
How does the memory management work?
Heap allocator requierments:
- Shoul be quick to fulfill malloc() and free()
- Shoul not wast memory by managing memory
Example PHP7 emalloc:
- First chunk has management information
- Management chunk describes other chunks
- Which are free, how big they are etc ...
What is at the top of the chunk when it is allocate and unalocated
Allocated chunk:
- Size of previous chunk
- Size of chunk
Free chunk:
- Size of previous chunk
- Size of chunk
- Forward pointer to next chunk
- Back pointer to previous chunk
What are the characteristics of free heap chunks?
Free heap chunks:
- Free chunks contain heap-metadata in the usable space
- Free chunks organized in a linked list
- Adjacent free chunks are merged in some allocators
- This process is considerably useful for purposes
What is an inter chunk heap overflow and what are the problems with it?
Heap attack:
Inter-chunk overflow with management chunk
Problem:
- In-band singnaling
- Can modify management data of hep allocator
- Therefore, can modify behavior of heap allocator
- Make the heap allocator write stuff where and what we want
- Write-what-where
- upon free
What is an inter-chunk overflow?
What are the characteristics of a heap overflow?
- A buffer overflow on the heap can modify other buffers on the heap
- A buffer overflow on the heap can invluence memory allocator management data structures (junks etc...)
- and make it write some data to some memory address, in some cases.
-
- 1 / 12
-
