windows 8 heap internals
play

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap - PowerPoint PPT Presentation

Aug 27, 2023 •404 likes •1.33k views

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

  1. Windows 8 Heap Internals Windows 8 Heap Internals

  2. Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals

  3. Who • Chris Valasek (@nudehaberdasher) – Sr. Research Scientist – Coverity • Tarjei Mandt (@kernelpool) – Vulnerability Researcher – Azimuth Security Windows 8 Heap Internals

  4. What • Windows 8 Release Preview • Heap manager specifics • Exploitation techniques for Windows 8 heap • Prerequisite reading – “Understanding the LFH” • http://illmatics.com/Understanding_the_LFH.pdf • http://illmatics.com/Understanding_the_LFH_Slides.pdf – “Modern Kernel Pool Exploitation” • http://www.mista.nu/research/kernelpool_infiltrate2011.pdf – Kostya, Hawkes, Halvar, McDonald, Moore, etc Windows 8 Heap Internals

  5. Why • Learn how the Heap Manager and Kernel Pool Allocator work (in detail) – PLEASE read the paper if you want full details, this presentation just touches the surface • Heap exploits that worked on Windows 7 will most likely NOT work on Windows 8 • Let’s find out why Windows 8 Heap Internals

  6. Windows 8 Heap Internals User Land Back ‐ End Windows 8 Heap Internals

  7. Windows 8 Back ‐ end • Slightly modified version of the Windows 7 back ‐ end [ RtlpAllocateHeap() ] • Mitigations 1. Freeing of _HEAP structures is prohibited (R.I.P Ben Hawkes tech) 2. Virtually allocated chunks now have randomized locality/size Windows 8 Heap Internals

  8. Windows 8 Back ‐ end (cont.) Windows 8 Heap Internals

  9. Back ‐ end Mitigation I • Prevents the freeing and subsequent allocation of a _HEAP structure in RtlpFreeHeap (). – https://www.lateralsecurity.com/downloads/hawkes_ruxcon ‐ nov ‐ 2008.pdf – Although the direct overwriting can still occur, it is unlikely • Same holds true for RtlpReAllocateHeap () Windows 8 Heap Internals

  10. Back ‐ end Mitigation I (cont.) RtlpFreeHeap(_HEAP *heap, DWORD flags, void *header, void *mem) { . . . if(heap == header) { RtlpLogHeapFailure(9, heap, header, 0, 0, 0); return 0; } . . . } Windows 8 Heap Internals

  11. Back ‐ end Mitigation II • Chunk that exceeds the VirtualMemoryThreshold will be serviced by NtAllocateVirtualMemory () • Previously, the allocations occurred with a potential for semi ‐ predictable locations and sizes • Changes have been made to add a random offset to the base address when allocating large chunks in RtlpAllocateHeap () • Hope to encapsulate virtual chunk in inaccessible memory (MEM_RESERVE) • Note : If safe ‐ linking fails the application will only terminate if HeapTerminateOnCorruption has been set via HeapSetInformation (), otherwise the chunk is NOT linked in but still RETURNED Windows 8 Heap Internals

  12. Back ‐ end Mitigation II //VirtualMemoryThreshold set to 0x7F000 in CreateHeap() int request_size = Round(request_size) int block_size = request_size / 8; if(block_size > heap ‐ >VirtualMemoryThreshold) { int rand_offset = (RtlpHeapGenerateRandomValue32() & 0xF) << 12; request_size += 24; int region_size = request_size + 0x1000 + rand_offset; void *virtual_base, *virtual_chunk; int protect = PAGE_READWRITE; if(heap ‐ >flags & 0x40000) protect = PAGE_EXECUTE_READWRITE; //Attempt to reserve region_size bytes of memory if(NtAllocateVirtualMemory( ‐ 1, &virtual_base, 0, &region_size, MEM_RESERVE, protect) < 0) goto cleanup_and_return; virtual_chunk = virtual_base + rand_offset; if(NtAllocateVirtualMemory( ‐ 1, &virtual_chunk, 0, &request_size, MEM_COMMIT, protect) < 0) goto cleanup_and_return; //XXX Set headers and safe link ‐ in return virtual_chunk; } Windows 8 Heap Internals

  13. Windows 8 Heap Internals User Land Front End Windows 8 Heap Internals

  14. Windows 8 Front ‐ End • Major changes to allocation and free algorithms and moderate changes to integral data structures • RtlpLowFragHeapAllocFromContext () will not be a “matched function” by BinDiff between Windows 7 and Windows 8 • Mostly the same data structures but offsets and members have changed a bit Windows 8 Heap Internals

  15. Windows 8 Front ‐ End Mitigations • Mitigations 1. Front ‐ End Activation Dedicated counters/index instead of ListHint ‐ >Blink • FrontEndHeapUsageData[] (See paper) • 2. Front ‐ End Allocation FreeEntryOffset removed • Non ‐ deterministic allocations • 3. Fast Fail RtlpLowFragHeapAllocFromZone() implements fast fail • Also additional checking compared to Windows 7 – 4. Guard Pages 5. Arbitrary Free Mitigation 6. Exception Handling Removal Windows 8 Heap Internals

  16. Windows 7 Front ‐ End Windows 8 Heap Internals

  17. Windows 7 Front ‐ End Allocation 0 Windows 8 Heap Internals

  18. Windows 7 Front ‐ End Allocation I Windows 8 Heap Internals

  19. Windows 7 Front ‐ End Allocation II Windows 8 Heap Internals

  20. Windows 7 Front ‐ End Allocation III Windows 8 Heap Internals

  21. Windows 8 Front ‐ End Windows 8 Heap Internals

  22. Windows 8 Randomization • RtlpLowFragHeapRandomData initialized from RtlpCreateLowFragHeap and SlotIndex is updated on _HEAP_SUBSEGMENT creation [ RtlpSubSegmentInitialize ()] RtlpInitializeLfhRandomDataArray() { int RandIndex = 0; do { //ensure that all bytes are unsigned int newrand1 = RtlpHeapGenerateRandomValue32() & 0x7F7F7F7F; int newrand2 = RtlpHeapGenerateRandomValue32() & 0x7F7F7F7F; RtlpLowFragHeapRandomData[RandIndex] = newrand1; RtlpLowFragHeapRandomData[RandIndex+1] = newrand2; RandIndex+=2; } while(RandIndex < 64) } Windows 8 Heap Internals

  23. Windows 8 Front ‐ End Allocation 0 Windows 8 Heap Internals

  24. Windows 8 Front ‐ End Allocation I Windows 8 Heap Internals

  25. Windows 8 Front ‐ End Allocation II Windows 8 Heap Internals

  26. Windows 8 Front ‐ End Allocation III Windows 8 Heap Internals

  27. Win 7 vs Win 8 Allocation • Windows 7 – Will sequentially allocate chunks from the UserBlock – No validation of FreeEntryOffset, hence it can be overwritten and used as an exploitation primitive • Windows 8 – Randomized array used to search a bitmap – Bitmap will select the chunk, update itself and use a different random location each time – Heap determinism goes down significantly – FreeEntryOffset no longer kept in user data, therefore FreeEntryOffset Overwrite technique has died  Windows 8 Heap Internals

  28. Windows 8 Front ‐ End Mitigation III • Fast Fail – INT 0x29 Interupt – Designed to ensure ‘fast failing’ • http://www.alex ‐ ionescu.com/?p=69 – Search “CD 29” (x86) and find instances all over ntdll.dll – Only one assertion in the LFH, otherwise use the RtlpLogHeapFailure () function and rely upon HeapTerminateOnCorruption flag Windows 8 Heap Internals

  29. Windows 8 Front ‐ End Mitigation III • Bad News: Windows 8 checks LFH ‐ >SubSegmentZones _HEAP_SUBSEGMENT *RtlpLowFragHeapAllocateFromZone(_LFH_HEAP *LFH, int AffinityIndex) { . . . _LIST_ENTRY *subseg_zones = &LFH ‐ >SubSegmentZones; if(LFH ‐ >SubSegmentZones ‐ >Flink ‐ >Blink != subseg_zones || LFH ‐ >SubSegmentZones ‐ >Blink ‐ >Flink != subseg_zones) __asm{int 29}; } • Good News: Windows 7 has less strict checks Potential for write ‐ 4 primitive  – Windows 8 Heap Internals

  30. Windows Front ‐ End Mitigation IV • Guard Pages were added between _HEAP_USERDATA_HEADER objects to foil overwrites and heap spraying • Therefore, an overflow will need to exist in the same UserBlock, potentially guarding other UserBlock containrs. • After a certain amount of chunks exist for a certain size a guard page will be added for subsequent UserBlock creations • If page_shift == 0x12 || total_blocks >= 0x400 – Add a guard page to the allocation Windows 8 Heap Internals

  31. Windows Front ‐ End Mitigation IV RtlpLowFragHeapAllocFromContext() { . . //determine if we should use a guard page set_guard = false; //The total amount of chunks available for a _HEAP_SUBSEGMENT int total_block = HeapLocalSegInfo ‐ >Counters.TotalBlocks; if(total_blocks > 0x400) total_blocks = 0x400; //there are other operations here, left out for brevity int page_shift = 7; int req_size = total_blocks * RtlpBucketBlockSizes[HeapBucket ‐ >SizeIndex] + 8; req_size = req_size + Round32(total_blocks) + 0x24; do page_shift++; while(req_size >> page_shift); if(page_shift == 0x12 || total_blocks >= 0x400) set_guard = true; //will allocate memory for the UserBlocks and add a guard page if necessary RtlpAllocateUserBlock(LFH, page_shift, BucketByteSize, set_guard); . . } Windows 8 Heap Internals

  32. Windows Front ‐ End Mitigation IV RtlpAllocateUserBlock calls RtlpAllocateUserBlockFromHeap RtlpAllocateUserBlockFromHeap(_HEAP *heap, int size, bool set_guard) { . . _HEAP_USERDATA_HEADER *user_block = RtlAllocateHeap(heap, 0x800001, size ‐ 8); if(set_guard) { int page_size = 0x1000; //get the page aligned address then caluculate the size //plus one page (0x1000) int page_end_addr = (user_block + (size ‐ 8) + 0xFFF) & 0xFFFFF000; int new_size = page_end_addr ‐ user_block + page_size; //reallocate with an additional page of memory appended user_block = RtlReAllocateHeap(heap, 0x800001, user_block, new_size); //make the last page of this memory PAGE_NOACCESS ZwProtectVirtualMemory( ‐ 1, &new_size, &page_size, PAGE_NOACCESS, &output); user_block ‐ >GuardPagePresent = true; } return user_block; } Windows 8 Heap Internals

  33. Windows Front ‐ End Mitigation IV Windows 8 Heap Internals

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Roadmap for Section 4.3. Windows Process and Thread Internals Thread Block, Process Block Flow

Roadmap for Section 4.3. Windows Process and Thread Internals Thread Block, Process Block Flow

Unit OS4: Scheduling and Dispatch 4.3. Windows Process and Thread Internals Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 4.3. Windows Process and Thread Internals Thread

438 views • 15 slides
GHC heap internals Nikita Frolov &lt; frolov@chalmers.se &gt; (courtesy of Bob Ippolito,

GHC heap internals Nikita Frolov &lt; frolov@chalmers.se &gt; (courtesy of Bob Ippolito,

GHC heap internals Nikita Frolov &lt; frolov@chalmers.se &gt; (courtesy of Bob Ippolito, http://bob.ippoli.to/haskell-for-erlangers-2014/) GHC RTS https://ghc.haskell.org/trac/ghc/wiki/Commentary/Rts scheduler garbage collector

448 views • 14 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
Roadmap for Section A.1 General Concepts - Windows Networking Domains &amp; Active Directory The

Roadmap for Section A.1 General Concepts - Windows Networking Domains &amp; Active Directory The

Unit OS A: Windows Networking A.1. Networking Components in Windows Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section A.1 General Concepts - Windows Networking Domains &amp;

443 views • 28 slides
Roadmap for Section 2.3. Environment Subsystems System Service Dispatching Windows on Windows -

Roadmap for Section 2.3. Environment Subsystems System Service Dispatching Windows on Windows -

Unit OS2: Operating System Principles 2.3. Windows on Windows - OS Personalities Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 2.3. Environment Subsystems System

678 views • 20 slides
ADVANCED HEAP MANIPULATION IN WINDOWS 8 Who Am I Zhenhua(Eric) Liu Senior Security Researcher

ADVANCED HEAP MANIPULATION IN WINDOWS 8 Who Am I Zhenhua(Eric) Liu Senior Security Researcher

ADVANCED HEAP MANIPULATION IN WINDOWS 8 Who Am I Zhenhua(Eric) Liu Senior Security Researcher Fortinet, Inc. Previous: Dissecting Adobe ReaderXs Sandbox: Breeding Sandworms@BlackHat EU 2012 Agenda 0x01: Why start this research 0x02:

1.13k views • 102 slides
Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Unit OS7: Security 7.2. Windows Security Components and Concepts Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 7.2. Windows Security Features Components of the Security

453 views • 14 slides
Roadmap for Section 9.3 Windows XP Embedded Design Goals Development Tool Support OS

Roadmap for Section 9.3 Windows XP Embedded Design Goals Development Tool Support OS

Unit OS9: Real-Time and Embedded Systems 9.3. Embedded Systems with Windows XP Embedded Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 9.3 Windows XP Embedded Design Goals

336 views • 15 slides
PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

ERIE COUNTY DEPARTMENT OF SOCIAL SERVICES Program Overview PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low income households to reduce energy expense s. HEAP PROGRAMS Regular HEAP Available

531 views • 14 slides
Roadmap for Section 9.2 Windows NT/2000/XP/2003 real-time behavior Windows NT/2000/XP/2003 I/O

Roadmap for Section 9.2 Windows NT/2000/XP/2003 real-time behavior Windows NT/2000/XP/2003 I/O

Unit OS9: Real-Time and Embedded Systems 9.2. Real-Time Systems with Windows Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 9.2 Windows NT/2000/XP/2003 real-time behavior

606 views • 24 slides
Roadmap for Section 11.2 Windows Boot Process Shutdown Causes for Crashes Recovery Console and

Roadmap for Section 11.2 Windows Boot Process Shutdown Causes for Crashes Recovery Console and

Unit OS11: Performance Evaluation 11.2. Boot/Startup Troubleshooting Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 11.2 Windows Boot Process Shutdown Causes for Crashes

706 views • 28 slides
Roadmap for Section C.1 Windows Services for UNIX 3.5 NFS client/server Lightweight Directory

Roadmap for Section C.1 Windows Services for UNIX 3.5 NFS client/server Lightweight Directory

Unit OS C: Interoperability C.1. File and Command Interoperability Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section C.1 Windows Services for UNIX 3.5 NFS client/server

381 views • 17 slides
Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A) for i = floor( A.length/2 ) to 1 Max-Heapify(A, i) Build-Max-Heap Red part is already Heapified Build-Max-Heap Correctness: Base: Each alone

429 views • 23 slides
Roadmap for Section 1.3. High-level Overview on Windows Concepts Processes, Threads Virtual

Roadmap for Section 1.3. High-level Overview on Windows Concepts Processes, Threads Virtual

Unit OS1: Overview of Operating Systems 1.3. Windows Operating System Family - Concepts &amp; Tools Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 1.3. High-level

662 views • 17 slides
Roadmap for Section A.2 General Concepts - Berkeley Sockets Creating a socket Binding an address

Roadmap for Section A.2 General Concepts - Berkeley Sockets Creating a socket Binding an address

Unit OS A: Windows Networking A.2. Windows Sockets Programming Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section A.2 General Concepts - Berkeley Sockets Creating a socket

140 views • 12 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Decision Procedures for Verification Viorica Sofronie-Stokkermans sofronie@uni-koblenz.de 1

Decision Procedures for Verification Viorica Sofronie-Stokkermans sofronie@uni-koblenz.de 1

Decision Procedures for Verification Viorica Sofronie-Stokkermans sofronie@uni-koblenz.de 1 Last lectures Reasoning in specific theories UIF (congruence closure) Arithmetical domains LI( Q ) Difference logic Combinations

434 views • 29 slides
Advanced File Systems Thierry Sans Advanced File Systems How to improve the performances?

Advanced File Systems Thierry Sans Advanced File Systems How to improve the performances?

Advanced File Systems Thierry Sans Advanced File Systems How to improve the performances? BSD Fast File System (FFS) How to improve the reliability in case of a crash? Log-Structured File system (LFS) Journaling File System (ext3)

600 views • 30 slides
1 1 $ -. - r Q I Quattro microTM Course Outline Morning Afternoon Introduction: QM

1 1 $ -. - r Q I Quattro microTM Course Outline Morning Afternoon Introduction: QM

- 0 C 3 C) 0 I I 1 1 $ -. - r Q I Quattro microTM Course Outline Morning Afternoon Introduction: QM Overview, Instrument Tuning:

1.66k views • 117 slides
CS5625 Interactive Computer Graphics Steve Marschner Spring 2019 01 Introduction CD Projekt

CS5625 Interactive Computer Graphics Steve Marschner Spring 2019 01 Introduction CD Projekt

CS5625 Interactive Computer Graphics Steve Marschner Spring 2019 01 Introduction CD Projekt RED The Witcher 3 (2015) Naughty Dog The Last of Us (Remastered, 2014) Rockstar Games Red Dead Redemption 2 (2018) Valve Portal (2007)

1.13k views • 89 slides
A Duality for Distributive Unimodal Logic Adam P renosil Institute of Computer Science,

A Duality for Distributive Unimodal Logic Adam P renosil Institute of Computer Science,

A Duality for Distributive Unimodal Logic Adam P renosil Institute of Computer Science, Academy of Sciences of the Czech Republic 17 October 2014, Groningen Advances in Modal Logic 2014 Adam P renosil A Duality for Distributive Unimodal

373 views • 36 slides
fjlesystems 3 1 last time FAT headers, free space, allocating space hard disk performance seek

fjlesystems 3 1 last time FAT headers, free space, allocating space hard disk performance seek

fjlesystems 3 1 last time FAT headers, free space, allocating space hard disk performance seek times from physical movement of disk head queues of requests, scheduled to control seek time smarts in controller: bad blocks, scheduling solid

1.03k views • 80 slides
LPWAN WG WG Chairs: Alexander Pelov &lt;a@ackl.io&gt; Pascal Thubert &lt;pthubert@cisco.com&gt;

LPWAN WG WG Chairs: Alexander Pelov &lt;a@ackl.io&gt; Pascal Thubert &lt;pthubert@cisco.com&gt;

LPWAN WG WG Chairs: Alexander Pelov &lt;a@ackl.io&gt; Pascal Thubert &lt;pthubert@cisco.com&gt; AD: Suresh Krishnan &lt;suresh.krishnan@ericsson.com&gt; 98 th IETF, Chicago, March 29 th , 2017 LPWAN@IETF98 1 Note Well Any submission to the

1.54k views • 126 slides
The limits and possibilities of combining Description Logics and Datalog Riccardo Rosati

The limits and possibilities of combining Description Logics and Datalog Riccardo Rosati

The limits and possibilities of combining Description Logics and Datalog Riccardo Rosati Dipartimento di Informatica e Sistemistica Universit` a di Roma La Sapienza rosati@dis.uniroma1.it RuleML 2006, Athens, GA, November 2006 Outline

753 views • 44 slides

More recommend