POSTED BY: Patroklos Argyroudis / 17.08.2012

Heap Exploitation Abstraction by Example - OWASP AppSec Research 2012

This year’s OWASP AppSec Research conference took place in Athens, Greece and we were planning to be there as participants. However, the day before the conference, Konstantinos Papapanagiotou (General Chair) asked if we could do a presentation to replace a cancelled talk. Myself and Chariton Karamitas agreed to help and spend around three hours preparing a talk on heap exploitation abstraction, a subject dear to us.

Our talk was titled “Heap Exploitation Abstraction by Example” and was divided into two main parts. In the first part we focused on presenting examples of exploiting heap managers. Specifically, we talked about attacking the FreeBSD kernel allocator (UMA), the Linux kernel allocator (SLUB) and the jemalloc userland allocator.

In the second part we started by finding the common elements of these three allocators and categorizing them into the following:

  • End-user allocations
  • Allocation containers
  • Container groupings
  • Execution-specific (thread, CPU core) metadata

We then proceeded to make an argument that the value of abstracting heap exploitation is in having a library of attack techniques, or primitives, that can be reused on other allocators. We took the concept of weird machines as defined by Sergey Bratus and Halvar Flake and applied it to heap managers. Briefly, we consider an allocator to be a deterministic automaton. Metadata corruption attacks can then be viewed as corruptions of the automaton’s transition function. Application-specific attacks, like adjacent memory region corruptions, can be viewed as manipulations of the automaton’s determinacy.

Please consider this as our early attempt on abstracting heap exploitation (also that it was put together in three hours) and expect more work on the subject from us.

Presentation Material

Thanks to: Sergey Bratus and Halvar Flake for the weird machine concept; Chris Valasek, Dimitris Glynos and Yiorgos Adamopoulos for interesting discussions on exploitation abstraction; Konstantinos Papapanagiotou for inviting us to replace the cancelled talk.