c2b_default

Dobin 0x55_DefeatExploitMitigations_heap_intro.pdf

Dobin 0x55_DefeatExploitMitigations_heap_intro.pdf

Dobin 0x55_DefeatExploitMitigations_heap_intro.pdf

12
0.0 (0)

Set of flashcards Details

Flashcards 12
Language English
Category Religion/Ethics
Level University
Created / Updated 25.06.2019 / 25.06.2019
Weblink
https://card2brain.ch/box/20190625_dobin_0x55defeatexploitmitigationsheapintro_pdf
Embed
<iframe src="https://card2brain.ch/box/20190625_dobin_0x55defeatexploitmitigationsheapintro_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
Study

What is the heap?

  • malloc() allocations
    • Fullfill allocating and deallocating of memory regions
  • Dynamic memory (allocations at runtime)
  • What is on the heap:
    • Objects, big buffers, structs, persistence, large things
  • Its slow, manually

What do the functions malloc() and free() do?

  • malloc(): get a memory region
  • free(): release a memory region

How does the heap work?

void *ptr;

ptr = malloc(len)

  • Allocated "len" size memory block
  • Returns a pointer to this memory block

free(ptr)

  • Tells the memory allocator that the memory block can now be re-used
  • Note: ptr is NOT NULL after free()

What does the heap allocator do?

the heap allocator does:

  • allocate big memory pages from the OS
  • Mange these pages
  • Split the pages into smaller chunks
  • Make these chunks available to the program

Where is the heap relative to the stack, and in what direction does it grow?

Log in to view images.

How are memory pages brocken down in the heap?

Log in to view images.

How does the memory management work?

Log in to view images.

Heap allocator requierments:

  • Shoul be quick to fulfill malloc() and free()
  • Shoul not wast memory by managing memory

Example PHP7 emalloc:

  • First chunk has management information
  • Management chunk describes other chunks
  • Which are free, how big they are etc ...

What is at the top of the chunk when it is allocate and unalocated

Log in to view images.

Allocated chunk:

  • Size of previous chunk
  • Size of chunk

Free chunk:

  • Size of previous chunk
  • Size of chunk
  • Forward pointer to next chunk
  • Back pointer to previous chunk

What are the characteristics of free heap chunks?

Free heap chunks:

  • Free chunks contain heap-metadata in the usable space
  • Free chunks organized in a linked list
  • Adjacent free chunks are merged in some allocators
    • This process is considerably useful for purposes

What is an inter chunk heap overflow and what are the problems with it?

Log in to view images.

Heap attack:

Inter-chunk overflow with management chunk

Problem:

  • In-band singnaling 
  • Can modify management data of hep allocator
  • Therefore, can modify behavior of heap allocator
  • Make the heap allocator write stuff where and what we want
    • Write-what-where
    • upon free

What is an inter-chunk overflow?

Log in to view images.

What are the characteristics of a heap overflow?

  • A buffer overflow on the heap can modify other buffers on the heap
  • A buffer overflow on the heap can invluence memory allocator management data structures (junks etc...)
    • and make it write some data to some memory address, in some cases.

Study