I recently presented a talk on heap exploitation abstraction at two conferences, namely
ZeroNights 2014 (Moscow, Russia) and
BalCCon 2014 (Novi Sad, Serbia). The talk titled “Project Heapbleed”, collected the experience of exploiting allocators in various different target applications and platforms. The talk focused on practical, reusable heap attack primitives that aim to reduce the exploit development time and effort.
The talk’s abstract was the following:
Heap related bugs (such as buffer overflows, use-after-frees, dangling/stale pointers, double frees) leading to corruptions of virtual memory and vulnerable conditions, constitute the most common type of memory corruption bugs. The exploitation of heap vulnerabilities is a process that requires a lot of time and effort. It requires meticulous understanding of the underlying heap allocator; its data structures metadata) and its allocation/deallocation algorithms. It requires understanding of how the target application uses the API provided by the heap allocator to manage dynamic memory and the allocation patterns that emerge due to this use. It also requires understanding of the application-specific data and how/where these are placed on the heap. Finally, it requires studying of the way the user can influence the application and use its provided functionality to control its heap as reliably as possible with the goal to create conditions aiding exploitation. All these must be viewed in the context of complicated bugs, since low-hanging fruits are scarce, and the vendors’ adoption of increasingly sophisticated exploitation mitigation technologies. We argue that although the details between the different heap allocators, target applications and bugs at hand obviously vary, the heap exploitation methodologies that have been formed by practical experience can be abstracted to reusable primitives that can be applied to new targets. Project Heapbleed is our attempt to define, clearly articulate, categorize and where applicable implement these primitives, aiming to provide a practical reusable heap exploitation toolset.
The slides are available here.
Update: The videos of both talks are now available on Youtube; ZeroNights 2014 and BalCCon 2014.