heap exploitation heap primitives
play

Heap Exploitation Heap Primitives malloc free calloc - PowerPoint PPT Presentation

Sep 07, 2022 •203 likes •406 views

Heap Exploitation Heap Primitives malloc free calloc Organization of chunks Bins Fast Singly linked list 16, 24, 32, 40, 48, 56, 64, 72, 80 and 88 bytes Small Doubly linked list 16, 24, ... , 504 bytes

  1. Heap Exploitation

  3. Heap Primitives • malloc • free • calloc

  7. Organization of chunks • Bins • Fast • Singly linked list • 16, 24, 32, 40, 48, 56, 64, 72, 80 and 88 bytes • Small • Doubly linked list • 16, 24, ... , 504 bytes • Large • Doubly linked lists • Different sizes • Sorted in decreasing order • Unsorted

  8. Overview of Algorithms for malloc and free • Malloc • Free

  9. Examples of exploits • LIFO Experiment • Use after free • Unlink

  10. FIFO Experiment

  11. Example of UAF Heap exploit Indian Institute of Science 11

  12. Example of UAF Heap exploit Indian Institute of Science 12

  13. Example of UAF Heap exploit Indian Institute of Science 13

  14. Example of UAF Heap exploit Indian Institute of Science 14

  15. Example of UAF Heap exploit Indian Institute of Science 15

  16. Example of UnLink Exploit

  17. Example of UnLink Exploit

  19. Current Research: Attackers Perspective • Automatic manipulation • Dynamic and static analysis • Understanding allocators • Chunk placement • Manual Exploitation: Exploit writing

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu Yun , Dhaval Kapil, and Taesoo Kim Georgia Institute of Technology 1 Heap vulnerabilities are the most common, yet serious security issues. %

387 views • 34 slides
PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

ERIE COUNTY DEPARTMENT OF SOCIAL SERVICES Program Overview PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low income households to reduce energy expense s. HEAP PROGRAMS Regular HEAP Available

531 views • 14 slides
Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure through non-traditional exploitation techniques Justin N. Ferguson // BH2007 The heap, what is it? Globally scoped data structure

906 views • 58 slides
Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A) for i = floor( A.length/2 ) to 1 Max-Heapify(A, i) Build-Max-Heap Red part is already Heapified Build-Max-Heap Correctness: Base: Each alone

429 views • 23 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The binomial heap allows for efficient union, which can not be done efficiently in the binary heap. The extra cost paid is the minimum operation, which

560 views • 24 slides
When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's first hire in July, 2013. Previously an engineer at Palantir. Studied Math & CS at Stanford. What we'll talk about: 1. What is Heap? 2.

695 views • 47 slides
heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O ( n ) analysis via picture (learn) or using summations (know result) data structures and algorithms building a heap one-by-one in O ( n log n ) 2020

672 views • 7 slides
Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7 7 11 8 8 9 7 7 11 8 10 10 input array = [-, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11] Start at rightmost array position that has a child.

522 views • 9 slides
In the Beginning was the Word Stephen Heap In the Beginning was the Word

In the Beginning was the Word Stephen Heap In the Beginning was the Word

In the Beginning was the Word Stephen Heap In the Beginning was the Word s.heap@uq.edu.au Stephen Heap s.heap@uq.edu.au Reading skill is based on three kinds of knowledge A fluent reader must have knowledge of: Language : word

480 views • 46 slides
A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three segments are: code , read-only data and global data for the running process gurka. Then there is a segment for the heap . The segment marked with

399 views • 10 slides
Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why

Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why

Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why it called Fibonacci (the proof) Priority Queue in Dijkstra Fibonacci Heap Operation Binary Heap Fibonacci Heap Find-Min O (1) O (1) Insert O (

465 views • 21 slides
Binding the Daemon FreeBSD Kernel Stack and Heap Exploitation Patroklos (argp) Argyroudis

Binding the Daemon FreeBSD Kernel Stack and Heap Exploitation Patroklos (argp) Argyroudis

Binding the Daemon FreeBSD Kernel Stack and Heap Exploitation Patroklos (argp) Argyroudis argp@census-labs.com Outline Introduction Why target the kernel? Why target FreeBSD? Background Related work Exploitation

1.55k views • 56 slides
6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

Heap Menu Implementation of a priority queue Priority Queues An array, visualized as a nearly complete binary tree Max Heap Property: The key of a node is than the keys of Heaps its children (Min Heap defined

202 views • 7 slides
Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of

Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of

Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of operations: Initialize Heap : creates new empty heap Is Empty : returns true if heap is empty Insert ( key,data ): inserts ( key,data

956 views • 51 slides
Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 ,

Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 ,

Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 , Anastasios Papagiannis 1 , Foivos Zakkak 2 , Polyvios Pratikakis 1 , and Angelos Bilas 1 1 University of Crete & Foundation of Research and

457 views • 19 slides
Data Structures in Java Lecture 2: Array and Linked Lists. 9/9/2015 Daniel Bauer 1 The List

Data Structures in Java Lecture 2: Array and Linked Lists. 9/9/2015 Daniel Bauer 1 The List

Data Structures in Java Lecture 2: Array and Linked Lists. 9/9/2015 Daniel Bauer 1 The List ADT A 0 A 1 A 2 A 3 A 4 A 5 A 6 The List ADT A list L is a sequence of N objects A 0 , A 1, A 2, , A N-1 A 0 A 1 A 2 A 3 A 4 A 5 A 6 The List

973 views • 47 slides
Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview

Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview

CS6202: Advanced Topics in Programming Hoare Logic Hoare Logic Languages and Systems Lecture 8/9 : Separation Logic Can handle reasoning of imperative programs well. Overview Notation : {P} code {Q} Assertion Logic {P}

557 views • 19 slides
Struktur Data & Algoritme ( Data Structures & Algorithms ) Linked-List Denny (

Struktur Data & Algoritme ( Data Structures & Algorithms ) Linked-List Denny (

Struktur Data & Algoritme ( Data Structures & Algorithms ) Linked-List Denny ( denny@cs.ui.ac.id ) Suryana Setiawan ( setiawan@cs.ui.ac.id ) Fakultas I lm u Kom puter Universitas I ndonesia Sem ester Genap - 2 0 0 4 / 2 0 0 5 Version 2

562 views • 25 slides
Self-referential Structures A basic data type (building block) for complex data structures

Self-referential Structures A basic data type (building block) for complex data structures

4/8/14 Self-referential Structures A basic data type (building block) for complex data structures such as trees and linked lists. Linked List Structure tags (i.e. tnode , node ) are required for self-referential structure

256 views • 3 slides
Linked Lists Comp 1402/1002 Using Defined Types Data Structures are key to Computer Science

Linked Lists Comp 1402/1002 Using Defined Types Data Structures are key to Computer Science

Linked Lists Comp 1402/1002 Using Defined Types Data Structures are key to Computer Science JAVA libraries: Vector, ArrayList, Hashtable C Arrays 1 Arrays Properties Elements are consecutive in memory

384 views • 13 slides
Linear Structures Every non-empty linear structure has A unique element called first A

Linear Structures Every non-empty linear structure has A unique element called first A

4/18/2013 Linear Structure Linear Structures Every non-empty linear structure has A unique element called first A unique element called last Every element except last has a unique successor Chapter 4 Every element except first

234 views • 11 slides
Verification of Low-Level List Manipulation (work in progress) Kamil Dudka 1 , 2 Petr Peringer 1

Verification of Low-Level List Manipulation (work in progress) Kamil Dudka 1 , 2 Petr Peringer 1

Verification of Low-Level List Manipulation (work in progress) Kamil Dudka 1 , 2 Petr Peringer 1 Tom Vojnar 1 1 FIT, Brno University of Technology, Czech Republic 2 Red Hat Czech, Brno, Czech Republic CP-meets-CAV, June 28, 2012 Low-level

320 views • 30 slides
Representing a Linked List 1 9 60 -3 Node List 2 types of information: List as a whole:

Representing a Linked List 1 9 60 -3 Node List 2 types of information: List as a whole:

Representing a Linked List 1 9 60 -3 Node List 2 types of information: List as a whole: head, tail, numElements Nodes in the list: value, next node 1 add(int index, E value) public void add(int index, E value) { if (index == 0) {

715 views • 6 slides

More recommend