understanding the heap by breaking it
play

Understanding the heap by breaking it A case study of the heap as a - PowerPoint PPT Presentation

Mar 06, 2024 •306 likes •906 views

Understanding the heap by breaking it A case study of the heap as a persistent data structure through non-traditional exploitation techniques Justin N. Ferguson // BH2007 The heap, what is it? Globally scoped data structure

  1. Understanding the heap by breaking it A case study of the heap as a persistent data structure through non-traditional exploitation techniques Justin N. Ferguson // BH2007

  2. The heap, what is it? � Globally scoped data structure � Dynamically allocated memory � ‘exists-until-free’ life expectancy � Compliment to the stack segment 2

  3. Glibc implementation � Original implementation was by Doug Lea (dlmalloc) � Current implementation by Wolfram Gloger (ptmalloc2) � ptmalloc2 is a variant of dlmalloc � Ptmalloc2 supports multiple heaps/arenas � Ptmalloc2 supports multi-threaded applications � Talk uses Glibc 2.4 � When research on the subject matter started Glibc 2.4 was current � Glibc 2.6 seems to be by and large the same to us 3

  4. Glibc implementation � ‘The heap’ is a misnomer – multiple heaps possible � Heap is allocated via either sbrk(2) or mmap(2) � Allocation requests are filled from either the ‘top’ chunk or free lists � Allocated blocks of memory are navigated by size � Free blocks of memory are navigated via linked list � Adjacent free blocks are potentially coalesced into one � Implies: no two free blocks of memory can border each other 4

  5. Heap data structures � Each heap has: � heap_info structure � malloc_state structure � any number of malloc_chunk structures � heap_info structure contains/defines: � size of heap � pointer to arena for heap � pointer to previous heap_info structure � malloc_state structure contains/defines: � mutual exclusion variable � flags indicating status/et cetera of the arena � arrays of pointers to malloc_chunks (fastbin & normal) � pointer to next malloc_state structure � other less important (to us) variables 5

  6. Heap data structures � malloc_chunk structure contains: � size of previous adjacent chunk � size of current (this) chunk � if free, pointer to the next malloc_chunk � if free, pointer to the previous malloc_chunk � most commonly known heap data structure � Interpretation of chunk changes varying on state (important!) � malloc_chunk C structure: struct malloc_chunk { INTERNAL_SIZE_T prev_size; INTERNAL_SIZE_T size; struct malloc_chunk * fd; struct malloc_chunk * bk; } 6

  7. Heap data structures � malloc_chunks have different interpretations dependent upon chunk state � Despite physical structure not changing � Allocated block of memory is viewed in the following way 7

  8. Heap data structures � Blocks of free memory have the same physical structure � Parts of memory are reused for metadata � Free chunk has the following representation 8

  9. Binning of free blocks � Free chunks are placed in bins � Bin’s are just an array of pointers to linked lists � Bin’s could be called a free list � Two basic different types of bin � fastbins � ‘normal’ bins � Fastbins are for frequently used chunks � Not directly consolidated � Not sorted – every bin contains chunks of the same size � Only make use of the forward pointer � Use same physical structure as ‘normal’ bins � ‘Normal’ bins split into three categories � 1 st bin index is the ‘unsorted’ bin � then small ‘normal’ chunk bins � large ‘normal’ chunk bins � Larger requests serviced via mmap(2) and thus not 9 placed in bins

  10. More about fastbins � Blocks are removed from the list in a LIFO manner � Allocations ranging from 0 to 80 fall into the fastbin range � Default maximum fastbin size is 64 bytes � Chunks binned by size as follows: 10

  11. ‘normal’ bins � Same physical structure (array of pointers to malloc_chunk) � Blocks of memory less than 512 bytes fall into this range � Small ‘normal’ chunks are not sorted � Chunks of the same size stored in the same bin � Fastbin chunk sizes and small ‘normal’ bin chunk sizes overlap � Fastbin consolidation can create a small ‘normal’ bin chunk (or any other type of chunk) � Chunks largers than 512 bytes and less than 128KB are large ‘normal’ chunks � Bins sorted in the smallest descending order � Chunks allocated back out of the bin’s in the least recently used fashion (FIFO) 11

  12. top and last_remainder � Special chunks � Neither ever exist in any bin � Top chunk borders end of available memory � Top chunk is used for allocation (if possible) when free lists can’t service request � Chunks bordering the top are folded into the top block upon free() � Top can grow and shrink � Top always exists � last_remainder can be allocated out and then upon free() placed in a bin � last_remainder is the result of an allocation request that causes the chunk to be split 12

  13. heap operations � Heap creation notes � created implicitly � New arena/heap can be created mutexes � Block allocation notes � fastbin allocations cannot cause consolidation � small ‘normal’ block allocation can (sometimes) � large ‘normal’ block allocation always calls malloc_consolidate() � Chunk resize notes � Original chunk can be free()’d � Free()’ing chunk notes � can trigger consolidation � Can cause heap to be resized 13

  14. Double free()’s � Instance of dangling pointers / use-after-free � (nothing new or extra-ordinary and certainly not a new bug class) � Interesting due to insight into heap it provides � Result of a valid instruction being used at invalid times � In below example the free() labeled ‘a’ is valid � However free() labeled ‘b’ is not void *ptr = malloc(siz); if (NULL != ptr) { free(ptr); /* a */ free(ptr); /* b */ } 14

  15. Double free()’s � Surprisingly undocumented � Neither Vudo Malloc Tricks nor Once Upon a Free() mentions them � Advanced Doug Lea’s malloc exploits mentions them, kinda sorta not really � The Malloc Maleficarum doesn’t mention them � Shellcoders handbook has a paragraph (!!) in chapter 16 that tells you they’re not really exploitable � Only two decent references found by author thus far � The Art of Software Security Assessment (good book) � A post to a mailing list � The Art of Software Security Assessment says: � “ There is also a threat if memory isn't reused between successive calls to free() because the memory block could be entered into free- block list twice ” 15

  16. Traditional double free() exploitation � Only in-depth talk publicly about double free() exploitation from Igor Dobrovitski in 2003 � Mailing list post detailing exploit for CVS server � Details included most of this section � Thanks Igor! (if you’re here find me and I’ll buy you a beer) � Remember that an allocated chunk is represented differently than a free chunk 16

  17. Traditional double free() exploitation � Free blocks end up in a bin � Bins are linked lists � After first free list would look something like this: 17

  18. Traditional double free() exploitation � What happens when you free() the same chunk twice ? ;] 18

  19. 19 Traditional double free() exploitation

  20. Traditional double free() exploitation � Traditional exploitation depended on the unlink() macro � Thanks Solar Designer! (If you’re here find me and I’ll buy you a beer) � unlink() macro back then looked like this: #define unlink( P, BK, FD ) { \ BK = P->bk; \ FD = P->fd; \ FD->bk = BK; \ BK->fd = FD; \ } 20

  21. Traditional double free() exploitation � Steps to traditional exploitation: 1. Get the same block of memory passed to free() twice 2. Get one of the chunks allocated back to you 3. Overwrite the ‘fd’ and ‘bk’ pointers 4. Allocate the second instance of the block on the free-list 5. ?? 6. Profit � Reliable, ‘just worked’ � Of course, like all good things … 21

  22. Oops! It’s not 1996! � unlink() macro has been hardened .. Most everywhere � Double free() protections have been implemented .. Most everywhere � New unlink() macro: #define unlink(P, BK, FD) { \ FD = P->fd; \ BK = P->bk; \ if (__builtin_expect (FD->bk != P || BK->fd != P, 0)) \ malloc_printerr (check_action, "corrupted double-linked list", P); \ else { \ FD->bk = BK; \ BK->fd = FD; \ } \ } � Result of hackers abusing the macro � Thanks hackers! 22

  23. The example � Result of multiple error handling checks being performed on functions that call each other that on error will cause a multiple free condition � mod_auth_kerb versions 5.3, 5.2, … � Result of using an old asn.1 compiler from Heimdal � New ones don’t have the same problem, but have other problems � (yes if you’ve used it you should audit your code) � Thanks Heimdal! 23

  24. 24 Vulnerability Zero

  25. 25 Vulnerability One

  26. Threads & ptmalloc2 � Earlier versions of Glibc had no thread safety for its allocators � Demonstrated publicly by Michal Zalewski in Delivering Signals for Fun & Profit (underappreciated) � Thread safety is a key difference between dlmalloc and ptmalloc � Thread safety is provided by two mutual exclusions � list_lock: used during heap/arena creation � Per-arena mutex: locked prior to entry into internal routines � Cannot enter critical sections without a lock � Provides thread safety, mostly 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
i.e., Higgs? 1 Understanding Electroweak Symmetry breaking is essential for significant progress

i.e., Higgs? 1 Understanding Electroweak Symmetry breaking is essential for significant progress

Symmetry is fundamental to our understanding of the basic laws of physics Mass is always associated with symmetry breaking Easier to discover the symmetry: e.g. SU(2) x U(1) Harder to discover the symmetry breaking mechanism, i.e., Higgs? 1

862 views • 24 slides
PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

ERIE COUNTY DEPARTMENT OF SOCIAL SERVICES Program Overview PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low income households to reduce energy expense s. HEAP PROGRAMS Regular HEAP Available

531 views • 14 slides
Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A) for i = floor( A.length/2 ) to 1 Max-Heapify(A, i) Build-Max-Heap Red part is already Heapified Build-Max-Heap Correctness: Base: Each alone

429 views • 23 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The binomial heap allows for efficient union, which can not be done efficiently in the binary heap. The extra cost paid is the minimum operation, which

560 views • 24 slides
Breaking the Lightweight Secure PUF: Understanding the Relation of Input Transformations and

Breaking the Lightweight Secure PUF: Understanding the Relation of Input Transformations and

Breaking the Lightweight Secure PUF: Understanding the Relation of Input Transformations and Machine Learning Resistance 18th Smart Card Research and Advanced Application Conference: CARDIS 2019 Nils Wisiol, Georg T. Becker, Marian Margraf,

952 views • 21 slides
Understanding the Connectivity of Heap Objects Martin Hirzel, Johannes Henkel, Amer Diwan

Understanding the Connectivity of Heap Objects Martin Hirzel, Johannes Henkel, Amer Diwan

Understanding the Connectivity of Heap Objects Martin Hirzel, Johannes Henkel, Amer Diwan University of Colorado at Boulder Michael Hind IBM T.J. Watson Research Center Motivation Connectivity often gets in the way of GC:

403 views • 16 slides
When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's first hire in July, 2013. Previously an engineer at Palantir. Studied Math & CS at Stanford. What we'll talk about: 1. What is Heap? 2.

695 views • 47 slides
heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O ( n ) analysis via picture (learn) or using summations (know result) data structures and algorithms building a heap one-by-one in O ( n log n ) 2020

672 views • 7 slides
Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7 7 11 8 8 9 7 7 11 8 10 10 input array = [-, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11] Start at rightmost array position that has a child.

522 views • 9 slides
In the Beginning was the Word Stephen Heap In the Beginning was the Word

In the Beginning was the Word Stephen Heap In the Beginning was the Word

In the Beginning was the Word Stephen Heap In the Beginning was the Word s.heap@uq.edu.au Stephen Heap s.heap@uq.edu.au Reading skill is based on three kinds of knowledge A fluent reader must have knowledge of: Language : word

480 views • 46 slides
A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three segments are: code , read-only data and global data for the running process gurka. Then there is a segment for the heap . The segment marked with

399 views • 10 slides
Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why

Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why

Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why it called Fibonacci (the proof) Priority Queue in Dijkstra Fibonacci Heap Operation Binary Heap Fibonacci Heap Find-Min O (1) O (1) Insert O (

465 views • 21 slides
6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

Heap Menu Implementation of a priority queue Priority Queues An array, visualized as a nearly complete binary tree Max Heap Property: The key of a node is than the keys of Heaps its children (Min Heap defined

202 views • 7 slides
Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of

Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of

Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of operations: Initialize Heap : creates new empty heap Is Empty : returns true if heap is empty Insert ( key,data ): inserts ( key,data

956 views • 51 slides
Virginia ABC License Consolidation and Fee Restructuring Final Report November 25, 2019

Virginia ABC License Consolidation and Fee Restructuring Final Report November 25, 2019

12/3/2019 Virginia ABC License Consolidation and Fee Restructuring Final Report November 25, 2019 Subcommittee Request Virginia Senate Rehabilitation and Social Services Subcommittee on ABC Laws made a request in a letter dated December 11,

408 views • 9 slides
Consolidation Financial Analysis ONE YEAR ANALYSIS FOX POINT J2, GLENDALE-RIVER HILLS, MAPLE

Consolidation Financial Analysis ONE YEAR ANALYSIS FOX POINT J2, GLENDALE-RIVER HILLS, MAPLE

Consolidation Financial Analysis ONE YEAR ANALYSIS FOX POINT J2, GLENDALE-RIVER HILLS, MAPLE DALE-INDIAN HILL AND NICOLET UHS SCHOOL DISTRICTS Presented by: Debby Schufletowski Senior Vice President Baird 715-552-3567 (office) 715-557-2580

397 views • 28 slides
GOALS COLLABORATIVE TEACHER IMPROVED CLASSROOM SCHOOL CONSOLIDATION WORKSPACES UTILIZATION

GOALS COLLABORATIVE TEACHER IMPROVED CLASSROOM SCHOOL CONSOLIDATION WORKSPACES UTILIZATION

PROGRAMMING SCHOOL CONSOLIDATION PK-8 TERRACE HILLS / COLLINS PK-8 SCHOOL CONSOLIDATION PROJECT IS COMMITTED TO EMBRACING EPISDS STRATEGIC PRIORITIES & LEARNING GOALS. PROJECT BASED LEARNING BREAK OUT AREAS SAFE CAMPUS WITH FRESH

759 views • 7 slides
MODELLING OF HEAT TRANSFER AND CONSOLIDATION FOR THERMOPLASTIC COMPOSITES RESISTANCE WELDING H.

MODELLING OF HEAT TRANSFER AND CONSOLIDATION FOR THERMOPLASTIC COMPOSITES RESISTANCE WELDING H.

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS MODELLING OF HEAT TRANSFER AND CONSOLIDATION FOR THERMOPLASTIC COMPOSITES RESISTANCE WELDING H. Shi*, I. Fernandez-Villegas, H.E.N. Bersee Design and Production of Composite Structures,

399 views • 6 slides
Repayment Presentation Repaying your loan: Six things you need to know: 1. What are the benefits

Repayment Presentation Repaying your loan: Six things you need to know: 1. What are the benefits

National Student Loans Service Centre (NSLSC) CanLearn.ca Repayment Presentation Repaying your loan: Six things you need to know: 1. What are the benefits of Government Sponsored Student Loans? 2. What is Non-Repayment Period? 3. What is a

498 views • 23 slides
Enghouse - Corporate Presentation Q4 FY 19 Corporate Overview Enghouse - Corporate Presentation

Enghouse - Corporate Presentation Q4 FY 19 Corporate Overview Enghouse - Corporate Presentation

Enghouse - Corporate Presentation Q4 FY 19 Corporate Overview Enghouse - Corporate Presentation Q3 FY 18 Q4 FY 19 1 Forward-Looking Statements Disclaimer Certain statements made in this presentation and the related materials may contain

427 views • 16 slides
Agenda 0 Background 0 Eligibility Requirements 0 Loan types 0 Repayment plans 0 Employment 0 How to

Agenda 0 Background 0 Eligibility Requirements 0 Loan types 0 Repayment plans 0 Employment 0 How to

Agenda 0 Background 0 Eligibility Requirements 0 Loan types 0 Repayment plans 0 Employment 0 How to Apply 0 Pitfalls to Watch For 0 Politics and Future Disclaimer The presenter is not an attorney and the information shared within this

407 views • 28 slides
RESULTS PRESENTATION 9 Months 2017 1 Highlights of the trimester 3, 3,18 184 M 8. 8.8%

RESULTS PRESENTATION 9 Months 2017 1 Highlights of the trimester 3, 3,18 184 M 8. 8.8%

RESULTS PRESENTATION 9 Months 2017 1 Highlights of the trimester 3, 3,18 184 M 8. 8.8% 8% T otal Sales Global Margin +11% Organic Sales Growth +20% EBIT Growth MARGIN IMPROVEMENT AND NOTABLE GROWTH Ver ery Good d Cash sh Flow

316 views • 19 slides

More recommend