CENSUS researchers Vasilis Tsaousoglou and Patroklos Argyroudis delivered the "The Shadow over Android: Heap Exploitation Assistance for Android's libc Allocator" technical talk at the 2017 INFILTRATE (Miami, Florida) conference. The abstract of the talk follows:
The jemalloc allocator has been adopted as the default libc malloc(3) implementation on Android since version 5.0, and is being used up to the latest one (7.0 - Nougat). We have previously analyzed in depth memory corruption attacks against jemalloc as a standalone allocator and in the context of the Firefox browser. In this talk we will focus on presenting attacks against jemalloc as the main userland allocator of Android devices (smartphones and tablets). We have extended our jemalloc heap exploration and exploitation tool called 'shadow' to support Android (both ARM32 and ARM64), and we will be demonstrating its use on understanding the impact of heap corruption vulnerabilities and developing exploits for them. The new version of shadow (supporting Android ARM32/ARM64 and Firefox x86/x86-64) will be released as open source software along with the talk.
The talk built on previous CENSUS research on primitives for heap exploitation and especially, jemalloc exploitation.
In the following weeks the new version of 'shadow' supporting Android's libc heap implementation will be released. For the time being the slides from the talk can be found here.
Update: shadow v2 has been released!