Dobin 0x55_DefeatExploitMitigations_heap_intro.pdf

• malloc() allocations
  • Fullfill allocating and deallocating of memory regions
• Dynamic memory (allocations at runtime)
• What is on the heap:
  • Objects, big buffers, structs, persistence, large things
• Its slow, manually

• malloc(): get a memory region
• free(): release a memory region

void *ptr;

ptr = malloc(len)

• Allocated "len" size memory block
• Returns a pointer to this memory block

free(ptr)

• Tells the memory allocator that the memory block can now be re-used
• Note: ptr is NOT NULL after free()

the heap allocator does:

• allocate big memory pages from the OS
• Mange these pages
• Split the pages into smaller chunks
• Make these chunks available to the program

Heap allocator requierments:

• Shoul be quick to fulfill malloc() and free()
• Shoul not wast memory by managing memory

Example PHP7 emalloc:

• First chunk has management information
• Management chunk describes other chunks
• Which are free, how big they are etc ...

Allocated chunk:

• Size of previous chunk
• Size of chunk

Free chunk:

• Size of previous chunk
• Size of chunk
• Forward pointer to next chunk
• Back pointer to previous chunk