SlideShare a Scribd company logo

Attacking the Webkit heap [Or how to write Safari exploits]

Seguridad Apple
Seguridad Apple

The document discusses exploiting memory corruption vulnerabilities in the WebKit heap allocator TCMalloc. It provides an overview of TCMalloc's allocator hierarchy and data structures, including thread caches, free lists, spans, and the page heap. It then describes techniques for exploiting TCMalloc, such as freeing invalid pointers, overflowing thread cache free lists to control allocation addresses, and corrupting span object lists to inject fake free list entries. The goal is to achieve arbitrary code execution on browsers and devices using the WebKit rendering engine.

Technology
1 of 96
Download to read offline
Attacking the WebKit Heap [Or how to write Safari exploits] Agustin Gianni + Sean Heelan 1 Immunity Inc.
Introduction ● The use of Webkit has been increasing steadily ● According to Wikipedia¹, “WebKit powers Google Chrome and Apple's Safari, which in January 2011 had around 13% and 6% of browser market share respectively.” ● Webkit Heap is based on TCMalloc ● Source is available ● A custom heap allocator eases the development of cross platform exploits. ● They use the same one for every architecture/os ● A single exploit to rule them all. 2 ¹ http://en.wikipedia.org/wiki/WebKit
Motivation ● Huge surface of attack ● Chrome ● Safari ● Android ● Kindle ● BlackBerry ● Security teletubbies use MacOSX ● Finally we can pwn Charlie Miller. 3
Basics ● Custom allocator designed with speed in mind ● Generally, speed = less “security checks” ● Thread oriented design ● Each thread gets a thread-local cache. ● Each thread manages its own allocations. ● TCMalloc consists of three different allocators ● Hierarchically arranged – Higher up allocators serve the lower allocators with memory 4
Allocator Hierarchy The PageHeap is closest to the system (highest), the ThreadCache is closest to the application (lowest) 5
Allocation Sizes ● Chunk sizes are divided into kNumClasses ● WebKit has 68 Size Classes ● Allocations are rounded to the nearest size class ● Small chunks < 8 * PAGE_SIZE ● Allocated from the ThreadCache ● Large chunks > 8 * PAGE_SIZE ● Allocated from the PageHeap 6
Spans ● Memory managed by TCMalloc is backed by a Span structure ● Sets of contiguous pages ● Can contain: ● Set of Small Chunks ● Large Chunk ● Span metadata is stored in the Span header which is allocated independently of the Span data 7
ThreadCache ● Front-end allocator for each thread ● Contains an array of 68* free- lists ● Max. elements per free-list is 256* ● Allocates/Deallocates its memory from/to the CentralCache 8 * May differ between applications
ThreadCache Freelist ● Each size class has its own ThreadCache FreeList ● The list_ attribute points to a singly linked list of free chunks 9
Central-Cache ● Is an array of CentralFreeList's ● One per size class ● Obtains/Frees its memory from/to the PageHeap ● Splits a Span into smaller chunks ● Provides chunks to Thread-Caches ● Populates a given freelist ● Shared by all threads ● Locking is required 10
Small Chunk Span Creation ● The Span objects list is used as the backend for FreeList creation for the CentralCache 11
PageHeap ● Manages chunks of memory allocated from the system allocators ● Populated on the first call to PageHeap::New (and as required after this) ● This will trigger an allocation from the System allocator e.g. VirtualAlloc, mmap, sbrk ● Contains two free lists ● SpanList large – For chunks bigger than kMaxPages (256 in WebKit) ● SpanList free_[kMaxPages] 12 – First entry is 1 page, second entry 2 pages, and so on
Small Chunk Allocation 13
Small Chunk Allocation ● 68 different Size Classes * ● Sizes are rounded to the next size class ● 8 bytes is the minimum chunk size ● Allocations of size 0 are valid and rounded up to 8 ● Chunks will be obtained from one of the Thread-Cache free lists 14
15
Large Chunk Allocation 16
Large Chunk Allocation ● Handled by the PageHeap ● Allocations of more than 8*PAGE_SIZE are considered large allocations ● Page aligned ● Can trigger heap growth 17
18
Chunk Deallocation ● Small chunks go directly to the ThreadCache free list. ● If the free list size exceeds 'kMaxFreeListLength' (256) some of the chunks are moved to the central- cache free list. ● If the combined size of the chunks exceeds 'kMaxThreadCacheSize' (2<<20) → GC ● Large chunks are inserted on the PageHeap ● Coalescing is triggered if neighboring chunks are also free. 19
Object Deallocation Flow Graph!
End of Introduction 21
Exploiting Memory Corruption Bugs in TCMalloc 22
Security Mechanisms ● Back to 1995 ● All in all, there are no protections ● Lulz level increased comex: “The best way to avoid fighting with the heap is to find vulnerabilities that aren't heap overflows” ● Vendors must have felt sorry for us =D 23
Resurrecting the Dead ● Freeing Invalid Pointers ● ThreadCache FreeList Overflow ● Insert to FreeList[X] ● Span Objects List Overflow ● Insert to Span Objects list ● Double Free ● Span Metadata Overflow ● Unlink ● Strawberry Pudding 24
Freeing Invalid Pointers
Freeing Invalid Pointers: The Bad ● If the pointer has a PageID (ptr >> kPageShift) that has not previously recorded as a Span then Bad Things may occur ● There is a PageMap object that maps from pointers to the correct Span containing information about the page they are within ● At the start of do_free TCMalloc attempts to retrieve the Span for the pointer using GetDescriptor(ptr >> kPageShift)
Freeing Invalid Pointers: The Bad void* get(Number k) const { ASSERT(k >> BITS == 0); const Number i1 = k >> LEAF_BITS; const Number i2 = k & (LEAF_LENGTH-1); return root_[i1]->values[i2]; } ● root is an array of 32 pointers, initialized to 0 ● values is an array of 32768 pointers, initialized to 0 ● So ptr >> kPageShift must therefore have been inserted into the PageMap at some point or ...
Freeing Invalid Pointers: The Bad ● .... Bad Things ● TCMalloc in WebKit will segfault on the NULL ptr dereference if root[i1] has not been alloc'd ● TCMalloc in Chrome detects the above condition and returns NULL ● In both, the values array is initialized to 0 so root_[i1]->values[i2] will return NULL if it has never been set previously ● Chrome again detects the NULL return value and will raise a SIGABRT or similar ● WebKit again will kamikaze on a NULL ptr soon after
Freeing Invalid Pointers: The Bad ● Can be an inconvenience for other techniques ● Prevents us from free'ing Span header objects as they are allocated from a separate pool of memory ● We have to be careful not to trigger free calls on pointers we insert into free lists after they are handed to the application if they are not in a valid Span ● As a side note, the above two level array is used for 32-bit Linux/OS X, 32-bit Windows uses a flat array and 64-bit * uses a radix tree ● For our purposes the result is effectively the same
Freeing Invalid Pointers: The Good ● We can however free any pointer that maps back to a valid Span ● Free'ing large objects (> kMaxSize [32768]) – Free of any address within the first page of the object free's the object – The other pages are not linked to any Span ● Free'ing small objects – Any address that falls within a span recorded as containing small objects can be free'd – If the Span contains multiple pages, each page is linked back to the correct Span header in the PageMap – The pointer will be added to the free list for size class of the Span it falls within
Freeing Invalid Pointers: Large Objects PageMap 0xbc31 SPAN_0xbc31
Freeing Invalid Pointers: Large Objects PageMap 0xbc31 SPAN_0xbc31 free(0xbc31ffff) :) free(0xbc32000) :(
Freeing Invalid Pointers: Small Objects PageMap 0xbc31 SPAN_0xbc31 0xbc32 SPAN_0xbc31
Freeing Invalid Pointers: Small Objects PageMap 0xbc31 SPAN_0xbc31 0xbc32 SPAN_0xbc31
Summary ● For large objects free'ing any pointer within the first page free's the entire object ● For small objects free'ing any pointer within the Span free's that pointer ● This pointer does *NOT* have to be correctly aligned with the small chunks in that Span ● Therefore we can free part of an in-use chunk if we want ● Interesting vector when considering partial pointer overflows that are later free'd ● Free'ing anything else will end in Bad Things
ThreadCache FreeList Corruption 36
FreeList[X] Allocation ● ThreadCache FreeList[X] ● ThreadCache::Allocate (non empty freelist) SLL_Pop(void **list_) result = *list_; *list_ = **list_; return result; 37
FreeList[X] Allocation SLL_Pop(void **list_) result = *list_; 38
FreeList[X] Allocation SLL_Pop(void **list_) result = *list_; 39
FreeList[X] Allocation SLL_Pop(void **list_) result = *list_; ● *list_ = **list_; return result; 40
Insert to FreeList[X] 41
Insert to FreeList[X] overflow_func(result) 42
Insert to FreeList[X] 43
Insert to FreeList[X] Allocate(FreeList[X]) 44
Insert to FreeList[X] Allocate(FreeList[X]) ● This allocation returns an address we control to the application as valid heap memory ● Similar to the Insert to Lookaside technique in effect ● The new list head pointer is equal to the first DWORD of this region ● Caveat: Ensuring our overflow chunk is behind a chunk 45 in a free list may require some trickery...
FreeList Creation ● Initial FreeList creation FetchFromCentralCache -> CentralFreeList::RemoveRange -> CentralFreeList::FetchFromSpansSafe ->CentralFreeList::Populate ● FetchFromSpans returns the chunks in address order but RemoveRange creates its list by prepending the chunks to the head ● The result – Chunks in a new FreeList are *behind* a newly allocated chunk 46
FreeList Creation: Populate() ● Populate (re)sets the objects list of a span into address order 47
FreeList Creation: RemoveRange() while (count < num) { void *t = FetchFromSpans(); if (!t) break; SLL_Push(&head, t); count++; } 48
FreeList Creation: RemoveRange() while (count < num) { void *t = FetchFromSpans(); if (!t) break; SLL_Push(&head, t); count++; } ● FetchFromSpans pops from the head of the objects list and SLL_Push sets each as the 49 new free list head
FreeList Creation ● Chunks are in reverse address order ● Created from the Span starting at 0xdcaa000 50
Crafting the FreeList Layout ● Solution. ● Empty the FreeList and the first Span in the nonempty list – The next allocation will retrieve an ordered set of chunks via Populate etc. from one or more spans and create a FreeList. – Maximum FreeList lengths differ between browsers ● Safari – 256 ● Chrome – 8192 ● Rearrange the FreeList via malloc/free calls 51
FreeList Corruption Notes ● ThreadCache::Allocate ● Gives the Insert to FreeList[X] technique – revives the 4-to-N byte overflow primitive ● Requires an overflow and at least two allocations – The first allocation to set the list head pointer from our corrupted chunk and the second to hand back this pointer to the application ● On allocation of the target pointer the [D|Q]WORD at this address becomes the FreeList head. – Need to be wary of further allocations if we cannot set this to 0x0 (End of List) or ensure that the allocation that returns the target pointer is the last pointer in the free list52 (length_ == 0 afterwards)
FreeList Corruption Notes ● ThreadCache::Deallocate ● Generally functions correctly as chunks are prepended to the FreeList without walking it ● May trigger a call to ReleaseToCentralCache if FreeList[X]->length() > kMaxFreeListLength – This in turn causes the FreeList to be walked through PopRange. If our corrupted chunk is within batch_size elements from the head of the list the corrupted next pointer will be followed as will the DWORD at that address and so on up to batch_size times. ● If the memory we inserted into the FreeList is not within a page allocated by TCMalloc and gets free'd TM 53 then Very Bad Things happen (Process death)
Span Objects List Corruption 54
Span Objects List Corruption ● Hang on a sec... ● What about the span objects list? ● Also a singly linked list ● The head resides directly after the FreeList head when a new Span is created and partially returned as a FreeList 55
Span Objects List Corruption ● What if we force this situation as before (empty free lists, trigger call to Populate() to reset Span object list) and overflow the first chunk returned instead of re-ordering for a FreeList overwrite 56
Span Objects List Corruption result = malloc(size) 57
Span Objects List Corruption result = malloc(size) overflow(result) 58
Faking a FreeList ● At this point the old FreeList is untouched ● But... we have trashed the next pointer for the first chunk in the span objects list, ● The next time TCMalloc tries to build a new FreeList from this Span it will add the pointer we control to the list 59
Faking a FreeList result = FetchFromSpans(); free_list.push(result) 60
Faking a FreeList result = FetchFromSpans(); free_list.push(result) result = FetchFromSpans(); free_list.push(result) 61
Faking a FreeList 62
Faking a FreeList ● What happens next depends on the first [Q|D]word of the chunk at XXXX ● RemoveRange() will continue to use this Span to build the new free list until it reaches its limit or empties the Span ● Ideally we want it to be 0x0 so the Span is considered empty ● If not then this pointer will be followed and so on until a 0x0 is reached or enough chunks are retrieved 63
Summary ● Overflow the head of a new free list (or any chunk before a chunk in a Span object list) and corrupt the next pointer of a chunk in a Span object list ● Empty the FreeList for that Span object size ● Trigger another allocation of this size, causing TCMalloc to create a new free list from the non-empty spans ● This allocation will follow our controlled pointer (presuming no other spans have been added to the nonempty span list) when building the free list ● The last chunk added is directly returned to the application ● Revives the 4-to-N byte overflow primitive, again 64
Double Free 65
Double Free ● TCMalloc has no protection against this type of error ● A double free of a pointer simply results in the same chunk being inserted into the FreeList twice ● A cycle in the FreeList is created if the chunk was not removed from the FreeList between frees (via allocation or returning to the CentralFreeList) ● Exploitation - obvious? ● Allocate twice. First as an object containing function pointers then as a controllable object e.g. a string 66
Span Metadata Corruption: Hacking like it's 1995 67
Hello Darkness my old friend static inline void DLL_Remove(Span* span) { span->prev->next = span->next; span->next->prev = span->prev; span->prev = NULL; span->next = NULL; } 68
Overflowing Span Metadata ● New spans created for large allocations (>0x8000) and when the CentralFreeList runs out of chunks for smaller sizes ● Metadata for Spans is *not* stored inline with the pages representing the data ● Span headers are separate objects allocated from their own PageHeapAllocator (initially a 0x8000 byte pool created via sbrk, mmap or VirtualAlloc) 69
Overflowing Span Metadata ● Overflowing Span metadata is not as convenient or as common as a FreeList or Span object list overwrite ● Requires the Span pool to be after whatever chunk we overflow with no unmapped pages in between ● May not be possible to ensure this and will depend on the OS and application embedding TCMalloc ● If we can force the required memory layout then this may allow for as many mirrored write-4s as we can overflow consecutive headers 70
Required Memory Layout ● Where is the pool of Span headers ● If sbrk() is in use then we can force it to be after the chunks managed by TCMalloc ● If mmap or VirtualAlloc are used then it could be in any number of locations due to randomization 71
Corrupting Span Metadata ● Presuming we have the correct memory layout, then what? ● We need an overflow large enough to cover the gap between our allocated chunk and the Span metadata 72
Corrupting Span Metadata 73
Triggering the Unlink ● DLL_Remove is called in a number of places as part of Span management in the PageHeap and CentralFreeList ● The most straightforward path to DLL_Remove appears to be through do_free on a chunk larger than kMaxSize ● This retrieves the Span header and directly calls pageheap->Delete(span) ● This in turn can lead to a call of DLL_Remove on headers located before and after the header 'span' 74
Strawberry Pudding <sinan> That's crap. I can make a strawberry pudding with so many prerequisites (In reference to some Windows heap technique) 75
Strawberry Pudding ● There are countless ways to get interesting 'things' to happen in TCMalloc depending on what you can corrupt ● The Span metadata unlink is approaching 'strawberry pudding' territory ● Many other fun primitives can be found within the heap managment routines e.g. consider the refcount attribute of a Span in the context of a double free or corrupted FreeList ● Entirely unnecessary though =D No integrity checks, we can win trivially. 76
WebKit Heap Manipulation 77
Tools of the trade ● Immunity Debugger + GDB ● Immunity Debugger ● GDB (OS X + Android) ● Allows us to dump information about the state of the heap – Chunk size, etc. ● vmmap ● Accurate view of the state of a processes memory 78
Heap Primitives ● We need three simple things ● To allocate memory ● To free memory ● To control the contents of allocated chunks ● Bonus ● Predict the heap layout 79
Current Techniques ● Array Allocation ● No deterministic chunk free – It relies on the behavior of the garbage collector ● Control just the first [Q|D]WORD – We are screwed if our function pointer is offset+8 ● In newer releases of WebKit the array creation is deferred until the elements are assigned. – We need to force a reallocation by assigning each one of the elements of the array. ● Summing up, it is inconvenient 80
Current Techniques ● Plain String allocation ● Rendered useless because of Ropes – Ropes are a non linear representation of strings – A string is represented by a tree of arrays of characters – Each one of the nodes can be reused by others strings ● Doing a substring on a string does not copy anything, just adds a new reference to the node/nodes – We need to find a way to build “linearized” strings ● More on this later 81
Array Technique ● Control of the first [Q|D]word ● To allocate N bytes ... ● S = [Q|D]WORD_SIZE ● E = # of array elements ● C = Constant ● N=S*E+C ● E = (N – C) / S ● We need an array of “E” elements ● Example allocation ● Green: Controlled DWORD ● Yellow: Partially controlled DWORD 82
Array Spray Example ● Allocate 'n' chunks ● Size 5*4 + 20 ● First DWORD is 0xcafecafe ● Second DWORD is 0x00000003 83
Allocation Primitive ● Since there is no direct fastMalloc available ● We need to get creative ● First approach: ● Just build strings! ● The catch: ropes ● Second approach: ● Take a look at the source code ● Realize what 'unescape' does 84
Unescape ● Unescape takes an encoded string and decodes it. ● To do so it needs the string in linear form (ie. No ropes) ● Appends each decoded char to a StringBuilder ● StringBuilder needs memory to hold the “unescaped” string. ● Potentially this gives us control over ● The size of the allocation ● The contents of the created chunks 85
String Builder ● Uses a reference counted storage ● Manages memory allocation automatically ● 'unescape' will append the unescaped characters to the a StringBuilder ● If more memory is needed, appendUninitialized will allocate a new buffer ● Size of the new allocation: ● new_size = prev_size + (prev_size >> 2) + 1 ● The previous buffer will be freed if its reference count reaches zero. ● This will be always the case when using unescape 86
Heap Spray ● String size is divided by two to take into account that each character is two bytes ● This will create 50 chunks of size 0x2c0 87
Heap Spray ● Chunks are contiguous (ie. No metadata inbetween) ● Hence aligned to the object size ● The whole contents of the objects are controlled ● Allows to craft really complex objects 88
Heap Spray 89
Deallocation Primitive ● There is no direct 'fastFree' available ● Traditional approach: ● Loop until GC kicks in ● This is not reliable ● Our approach ● Abuse the behavior of the StringBuilder 90
Deallocation Primitive ● Unescape appends decoded chars to the StringBuilder ● This will trigger a new allocation ● new_size = prev_size + (prev_size >> 2) + 1 –std::vector like allocation behavior ● The previous string will be immediately freed ● Unescape a string bigger than the one we need to free ● This will generate some heap noise ● Must be taken into account ● Most of the times it does not harm 91
Allocation Trace ● We want to make a hole of size 0x79a ● The corresponding allocation size is 0x820 92
Conclusions ● A simple heap leaves us with lots opportunities to exploit vulnerabilities ● Heap layout modification is easy again by using the “unescape” technique. ● No heap protections makes our life easy. 93
Previous Work ● Mark Daniel ● Jake Honoroff ● Charlie Miller ● Skypher 94
References ● http://goog-perftools.sourceforge.net/doc/tcmalloc.html ● https://trac.webkit.org/wiki/FastMalloc%20Glossary ● http://securityevaluators.com/files/papers/isewoot08.pdf 95
Questions? The end THX Agustin Gianni Sean Heelan agustin@immunityinc.com sean@immunityinc.com 96 @agustingianni @seanhn

Recommended

Large-Scale Automated Storage on Kubernetes - Matt Schallert OSCON 2019
Large-Scale Automated Storage on Kubernetes - Matt Schallert OSCON 2019Large-Scale Automated Storage on Kubernetes - Matt Schallert OSCON 2019
Large-Scale Automated Storage on Kubernetes - Matt Schallert OSCON 2019Matt Schallert
 
An Introduction to Apache Cassandra
An Introduction to Apache CassandraAn Introduction to Apache Cassandra
An Introduction to Apache CassandraSaeid Zebardast
 
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUpon
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUponHBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUpon
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUponCloudera, Inc.
 
Intro to cassandra
Intro to cassandraIntro to cassandra
Intro to cassandraJWORKS powered by Ordina
 
Ted Dunning – Very High Bandwidth Time Series Database Implementation - NoSQL...
Ted Dunning – Very High Bandwidth Time Series Database Implementation - NoSQL...Ted Dunning – Very High Bandwidth Time Series Database Implementation - NoSQL...
Ted Dunning – Very High Bandwidth Time Series Database Implementation - NoSQL...NoSQLmatters
 
2013 05 ny
2013 05 ny2013 05 ny
2013 05 nySri Ambati
 
Initial presentation of swift (for montreal user group)
Initial presentation of swift (for montreal user group)Initial presentation of swift (for montreal user group)
Initial presentation of swift (for montreal user group)Marcos García
 
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...NETWAYS
 

Recommended

Large-Scale Automated Storage on Kubernetes - Matt Schallert OSCON 2019
Large-Scale Automated Storage on Kubernetes - Matt Schallert OSCON 2019Large-Scale Automated Storage on Kubernetes - Matt Schallert OSCON 2019
Large-Scale Automated Storage on Kubernetes - Matt Schallert OSCON 2019Matt Schallert
 
An Introduction to Apache Cassandra
An Introduction to Apache CassandraAn Introduction to Apache Cassandra
An Introduction to Apache CassandraSaeid Zebardast
 
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUpon
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUponHBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUpon
HBaseCon 2012 | Lessons learned from OpenTSDB - Benoit Sigoure, StumbleUponCloudera, Inc.
 
Intro to cassandra
Intro to cassandraIntro to cassandra
Intro to cassandraJWORKS powered by Ordina
 
Ted Dunning – Very High Bandwidth Time Series Database Implementation - NoSQL...
Ted Dunning – Very High Bandwidth Time Series Database Implementation - NoSQL...Ted Dunning – Very High Bandwidth Time Series Database Implementation - NoSQL...
Ted Dunning – Very High Bandwidth Time Series Database Implementation - NoSQL...NoSQLmatters
 
2013 05 ny
2013 05 ny2013 05 ny
2013 05 nySri Ambati
 
Initial presentation of swift (for montreal user group)
Initial presentation of swift (for montreal user group)Initial presentation of swift (for montreal user group)
Initial presentation of swift (for montreal user group)Marcos García
 
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...
OSDC 2016 - Chronix - A fast and efficient time series storage based on Apach...NETWAYS
 
openTSDB - Metrics for a distributed world
openTSDB - Metrics for a distributed worldopenTSDB - Metrics for a distributed world
openTSDB - Metrics for a distributed worldOliver Hankeln
 
Tag based sharding presentation
Tag based sharding presentationTag based sharding presentation
Tag based sharding presentationJuan Antonio Roy Couto
 
Apache Solr as a compressed, scalable, and high performance time series database
Apache Solr as a compressed, scalable, and high performance time series databaseApache Solr as a compressed, scalable, and high performance time series database
Apache Solr as a compressed, scalable, and high performance time series databaseFlorian Lautenschlager
 
Logs @ OVHcloud
Logs @ OVHcloudLogs @ OVHcloud
Logs @ OVHcloudOVHcloud
 
Building multi tenant systems with Cosmos DB and NserviceBus
Building multi tenant systems with Cosmos DB and NserviceBusBuilding multi tenant systems with Cosmos DB and NserviceBus
Building multi tenant systems with Cosmos DB and NserviceBusIvan Lazarov
 
MongoDB Concepts
MongoDB ConceptsMongoDB Concepts
MongoDB ConceptsJuan Antonio Roy Couto
 
MongoDB Basics Unileon
MongoDB Basics UnileonMongoDB Basics Unileon
MongoDB Basics UnileonJuan Antonio Roy Couto
 
Triggers in MongoDB
Triggers in MongoDBTriggers in MongoDB
Triggers in MongoDBAntonios Giannopoulos
 
Apache cassandra an introduction
Apache cassandra an introductionApache cassandra an introduction
Apache cassandra an introductionShehaaz Saif
 
New Indexing and Aggregation Pipeline Capabilities in MongoDB 4.2
New Indexing and Aggregation Pipeline Capabilities in MongoDB 4.2New Indexing and Aggregation Pipeline Capabilities in MongoDB 4.2
New Indexing and Aggregation Pipeline Capabilities in MongoDB 4.2Antonios Giannopoulos
 
Diagnosing HotSpot JVM Memory Leaks with JFR and JMC
Diagnosing HotSpot JVM Memory Leaks with JFR and JMCDiagnosing HotSpot JVM Memory Leaks with JFR and JMC
Diagnosing HotSpot JVM Memory Leaks with JFR and JMCMushfekur Rahman
 
Building a Unified Logging Layer with Fluentd, Elasticsearch and Kibana
Building a Unified Logging Layer with Fluentd, Elasticsearch and KibanaBuilding a Unified Logging Layer with Fluentd, Elasticsearch and Kibana
Building a Unified Logging Layer with Fluentd, Elasticsearch and KibanaMushfekur Rahman
 
Distributed Transaction Management in Spring & JEE
Distributed Transaction Management in Spring & JEEDistributed Transaction Management in Spring & JEE
Distributed Transaction Management in Spring & JEEMushfekur Rahman
 
Spanner (may 19)
Spanner (may 19)Spanner (may 19)
Spanner (may 19)Sultan Ahmed
 
Peer sim (p2p network)
Peer sim (p2p network)Peer sim (p2p network)
Peer sim (p2p network)Hein Min Htike
 
MapDB - taking Java collections to the next level
MapDB - taking Java collections to the next levelMapDB - taking Java collections to the next level
MapDB - taking Java collections to the next levelJavaDayUA
 
Hacking Webkit & Its JavaScript Engines
Hacking Webkit & Its JavaScript EnginesHacking Webkit & Its JavaScript Engines
Hacking Webkit & Its JavaScript EnginesSencha
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
 
DbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slidesDbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slidesPeter Hlavaty
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
Linux KVM のコードを追いかけてみよう
Linux KVM のコードを追いかけてみようLinux KVM のコードを追いかけてみよう
Linux KVM のコードを追いかけてみようTsuyoshi OZAWA
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 

More Related Content

What's hot

openTSDB - Metrics for a distributed world
openTSDB - Metrics for a distributed worldopenTSDB - Metrics for a distributed world
openTSDB - Metrics for a distributed worldOliver Hankeln
 
Apache Solr as a compressed, scalable, and high performance time series database
Apache Solr as a compressed, scalable, and high performance time series databaseApache Solr as a compressed, scalable, and high performance time series database
Apache Solr as a compressed, scalable, and high performance time series databaseFlorian Lautenschlager
 
Logs @ OVHcloud
Logs @ OVHcloudLogs @ OVHcloud
Logs @ OVHcloudOVHcloud
 
Building multi tenant systems with Cosmos DB and NserviceBus
Building multi tenant systems with Cosmos DB and NserviceBusBuilding multi tenant systems with Cosmos DB and NserviceBus
Building multi tenant systems with Cosmos DB and NserviceBusIvan Lazarov
 
Apache cassandra an introduction
Apache cassandra an introductionApache cassandra an introduction
Apache cassandra an introductionShehaaz Saif
 
New Indexing and Aggregation Pipeline Capabilities in MongoDB 4.2
New Indexing and Aggregation Pipeline Capabilities in MongoDB 4.2New Indexing and Aggregation Pipeline Capabilities in MongoDB 4.2
New Indexing and Aggregation Pipeline Capabilities in MongoDB 4.2Antonios Giannopoulos
 
Diagnosing HotSpot JVM Memory Leaks with JFR and JMC
Diagnosing HotSpot JVM Memory Leaks with JFR and JMCDiagnosing HotSpot JVM Memory Leaks with JFR and JMC
Diagnosing HotSpot JVM Memory Leaks with JFR and JMCMushfekur Rahman
 
Building a Unified Logging Layer with Fluentd, Elasticsearch and Kibana
Building a Unified Logging Layer with Fluentd, Elasticsearch and KibanaBuilding a Unified Logging Layer with Fluentd, Elasticsearch and Kibana
Building a Unified Logging Layer with Fluentd, Elasticsearch and KibanaMushfekur Rahman
 
Distributed Transaction Management in Spring & JEE
Distributed Transaction Management in Spring & JEEDistributed Transaction Management in Spring & JEE
Distributed Transaction Management in Spring & JEEMushfekur Rahman
 
Peer sim (p2p network)
Peer sim (p2p network)Peer sim (p2p network)
Peer sim (p2p network)Hein Min Htike
 
MapDB - taking Java collections to the next level
MapDB - taking Java collections to the next levelMapDB - taking Java collections to the next level
MapDB - taking Java collections to the next levelJavaDayUA
 

What's hot (16)

openTSDB - Metrics for a distributed world
openTSDB - Metrics for a distributed worldopenTSDB - Metrics for a distributed world
openTSDB - Metrics for a distributed world
 
Tag based sharding presentation
Tag based sharding presentationTag based sharding presentation
Tag based sharding presentation
 
Apache Solr as a compressed, scalable, and high performance time series database
Apache Solr as a compressed, scalable, and high performance time series databaseApache Solr as a compressed, scalable, and high performance time series database
Apache Solr as a compressed, scalable, and high performance time series database
 
Logs @ OVHcloud
Logs @ OVHcloudLogs @ OVHcloud
Logs @ OVHcloud
 
Building multi tenant systems with Cosmos DB and NserviceBus
Building multi tenant systems with Cosmos DB and NserviceBusBuilding multi tenant systems with Cosmos DB and NserviceBus
Building multi tenant systems with Cosmos DB and NserviceBus
 
MongoDB Concepts
MongoDB ConceptsMongoDB Concepts
MongoDB Concepts
 
MongoDB Basics Unileon
MongoDB Basics UnileonMongoDB Basics Unileon
MongoDB Basics Unileon
 
Triggers in MongoDB
Triggers in MongoDBTriggers in MongoDB
Triggers in MongoDB
 
Apache cassandra an introduction
Apache cassandra an introductionApache cassandra an introduction
Apache cassandra an introduction
 
New Indexing and Aggregation Pipeline Capabilities in MongoDB 4.2
New Indexing and Aggregation Pipeline Capabilities in MongoDB 4.2New Indexing and Aggregation Pipeline Capabilities in MongoDB 4.2
New Indexing and Aggregation Pipeline Capabilities in MongoDB 4.2
 
Diagnosing HotSpot JVM Memory Leaks with JFR and JMC
Diagnosing HotSpot JVM Memory Leaks with JFR and JMCDiagnosing HotSpot JVM Memory Leaks with JFR and JMC
Diagnosing HotSpot JVM Memory Leaks with JFR and JMC
 
Building a Unified Logging Layer with Fluentd, Elasticsearch and Kibana
Building a Unified Logging Layer with Fluentd, Elasticsearch and KibanaBuilding a Unified Logging Layer with Fluentd, Elasticsearch and Kibana
Building a Unified Logging Layer with Fluentd, Elasticsearch and Kibana
 
Distributed Transaction Management in Spring & JEE
Distributed Transaction Management in Spring & JEEDistributed Transaction Management in Spring & JEE
Distributed Transaction Management in Spring & JEE
 
Spanner (may 19)
Spanner (may 19)Spanner (may 19)
Spanner (may 19)
 
Peer sim (p2p network)
Peer sim (p2p network)Peer sim (p2p network)
Peer sim (p2p network)
 
MapDB - taking Java collections to the next level
MapDB - taking Java collections to the next levelMapDB - taking Java collections to the next level
MapDB - taking Java collections to the next level
 

Viewers also liked

Hacking Webkit & Its JavaScript Engines
Hacking Webkit & Its JavaScript EnginesHacking Webkit & Its JavaScript Engines
Hacking Webkit & Its JavaScript EnginesSencha
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploitsamiable_indian
 
DbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slidesDbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slidesPeter Hlavaty
 
Linux KVM のコードを追いかけてみよう
Linux KVM のコードを追いかけてみようLinux KVM のコードを追いかけてみよう
Linux KVM のコードを追いかけてみようTsuyoshi OZAWA
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
iPhone Data Protection in Depth
iPhone Data Protection in Depth iPhone Data Protection in Depth
iPhone Data Protection in DepthSeguridad Apple
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSSeguridad Apple
 
見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)Masato Kinugawa
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days laterSeguridad Apple
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigationYaniv Shani
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Targeting the iOS kernel
Targeting the iOS kernelTargeting the iOS kernel
Targeting the iOS kernelSeguridad Apple
 
SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」Masato Kinugawa
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basicssecurityxploded
 

Viewers also liked (20)

Hacking Webkit & Its JavaScript Engines
Hacking Webkit & Its JavaScript EnginesHacking Webkit & Its JavaScript Engines
Hacking Webkit & Its JavaScript Engines
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploits
 
DbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slidesDbiFuzz framework #ZeroNights E.0x03 slides
DbiFuzz framework #ZeroNights E.0x03 slides
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
Linux KVM のコードを追いかけてみよう
Linux KVM のコードを追いかけてみようLinux KVM のコードを追いかけてみよう
Linux KVM のコードを追いかけてみよう
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
IOS debugging
IOS debuggingIOS debugging
IOS debugging
 
How2heap
How2heap How2heap
How2heap
 
iPhone Data Protection in Depth
iPhone Data Protection in Depth iPhone Data Protection in Depth
iPhone Data Protection in Depth
 
Antid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOSAntid0te 2.0 – ASLR in iOS
Antid0te 2.0 – ASLR in iOS
 
見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)見つけた脆弱性について(cybozu.com Security Challenge)
見つけた脆弱性について(cybozu.com Security Challenge)
 
iOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days lateriOS 6 Exploitation: 280 days later
iOS 6 Exploitation: 280 days later
 
Exploit techniques and mitigation
Exploit techniques and mitigationExploit techniques and mitigation
Exploit techniques and mitigation
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Bug-hunter's Sorrow
Bug-hunter's SorrowBug-hunter's Sorrow
Bug-hunter's Sorrow
 
Targeting the iOS kernel
Targeting the iOS kernelTargeting the iOS kernel
Targeting the iOS kernel
 
SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」SecurityCamp2015「CVE-2015-4483解説」
SecurityCamp2015「CVE-2015-4483解説」
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming BasicsReversing & Malware Analysis Training Part 4 - Assembly Programming Basics
Reversing & Malware Analysis Training Part 4 - Assembly Programming Basics
 

Similar to Attacking the Webkit heap [Or how to write Safari exploits]

Everything I Ever Learned About JVM Performance Tuning @Twitter
Everything I Ever Learned About JVM Performance Tuning @TwitterEverything I Ever Learned About JVM Performance Tuning @Twitter
Everything I Ever Learned About JVM Performance Tuning @TwitterAttila Szegedi
 
MongoDB World 2019: Packing Up Your Data and Moving to MongoDB Atlas
MongoDB World 2019: Packing Up Your Data and Moving to MongoDB AtlasMongoDB World 2019: Packing Up Your Data and Moving to MongoDB Atlas
MongoDB World 2019: Packing Up Your Data and Moving to MongoDB AtlasMongoDB
 
FOSDEM 2019: M3, Prometheus and Graphite with metrics and monitoring in an in...
FOSDEM 2019: M3, Prometheus and Graphite with metrics and monitoring in an in...FOSDEM 2019: M3, Prometheus and Graphite with metrics and monitoring in an in...
FOSDEM 2019: M3, Prometheus and Graphite with metrics and monitoring in an in...Rob Skillington
 
Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....
Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....
Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....AboutYouGmbH
 
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)Alex Chepurnoy
 
Crypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroCrypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroTal Shmueli
 
Improve Presto Architectural Decisions with Shadow Cache
Improve Presto Architectural Decisions with Shadow Cache Improve Presto Architectural Decisions with Shadow Cache
Improve Presto Architectural Decisions with Shadow CacheAlluxio, Inc.
 
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "SHow I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "SBrandon Liu
 
Wikimedia Content API: A Cassandra Use-case
Wikimedia Content API: A Cassandra Use-caseWikimedia Content API: A Cassandra Use-case
Wikimedia Content API: A Cassandra Use-caseEric Evans
 
NetflixOSS Meetup season 3 episode 1
NetflixOSS Meetup season 3 episode 1NetflixOSS Meetup season 3 episode 1
NetflixOSS Meetup season 3 episode 1Ruslan Meshenberg
 
7. Key-Value Databases: In Depth
7. Key-Value Databases: In Depth7. Key-Value Databases: In Depth
7. Key-Value Databases: In DepthFabio Fumarola
 
Kubernetes Me this Batman
Kubernetes Me this BatmanKubernetes Me this Batman
Kubernetes Me this BatmanSonatype
 
Machine learning at Scale with Apache Spark
Machine learning at Scale with Apache SparkMachine learning at Scale with Apache Spark
Machine learning at Scale with Apache SparkMartin Zapletal
 
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, Vectorized
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, VectorizedData Policies for the Kafka-API with WebAssembly | Alexander Gallego, Vectorized
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, VectorizedHostedbyConfluent
 
Cloud storage: the right way OSS EU 2018
Cloud storage: the right way OSS EU 2018Cloud storage: the right way OSS EU 2018
Cloud storage: the right way OSS EU 2018Orit Wasserman
 

Similar to Attacking the Webkit heap [Or how to write Safari exploits] (20)

Everything I Ever Learned About JVM Performance Tuning @Twitter
Everything I Ever Learned About JVM Performance Tuning @TwitterEverything I Ever Learned About JVM Performance Tuning @Twitter
Everything I Ever Learned About JVM Performance Tuning @Twitter
 
MongoDB World 2019: Packing Up Your Data and Moving to MongoDB Atlas
MongoDB World 2019: Packing Up Your Data and Moving to MongoDB AtlasMongoDB World 2019: Packing Up Your Data and Moving to MongoDB Atlas
MongoDB World 2019: Packing Up Your Data and Moving to MongoDB Atlas
 
FOSDEM 2019: M3, Prometheus and Graphite with metrics and monitoring in an in...
FOSDEM 2019: M3, Prometheus and Graphite with metrics and monitoring in an in...FOSDEM 2019: M3, Prometheus and Graphite with metrics and monitoring in an in...
FOSDEM 2019: M3, Prometheus and Graphite with metrics and monitoring in an in...
 
Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....
Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....
Dennis Benkert & Matthias Lübken - Patterns in a containerized world? - code....
 
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
Proof-of-Stake & Its Improvements (San Francisco Bitcoin Devs Hackathon)
 
Crypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies IntroCrypto & Crpyocurrencies Intro
Crypto & Crpyocurrencies Intro
 
Improve Presto Architectural Decisions with Shadow Cache
Improve Presto Architectural Decisions with Shadow Cache Improve Presto Architectural Decisions with Shadow Cache
Improve Presto Architectural Decisions with Shadow Cache
 
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "SHow I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "S
 
Wikimedia Content API: A Cassandra Use-case
Wikimedia Content API: A Cassandra Use-caseWikimedia Content API: A Cassandra Use-case
Wikimedia Content API: A Cassandra Use-case
 
NetflixOSS Meetup season 3 episode 1
NetflixOSS Meetup season 3 episode 1NetflixOSS Meetup season 3 episode 1
NetflixOSS Meetup season 3 episode 1
 
7. Key-Value Databases: In Depth
7. Key-Value Databases: In Depth7. Key-Value Databases: In Depth
7. Key-Value Databases: In Depth
 
Kubernetes Me this Batman
Kubernetes Me this BatmanKubernetes Me this Batman
Kubernetes Me this Batman
 
Kubernetes Me This Batman
Kubernetes Me This BatmanKubernetes Me This Batman
Kubernetes Me This Batman
 
Machine learning at Scale with Apache Spark
Machine learning at Scale with Apache SparkMachine learning at Scale with Apache Spark
Machine learning at Scale with Apache Spark
 
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, Vectorized
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, VectorizedData Policies for the Kafka-API with WebAssembly | Alexander Gallego, Vectorized
Data Policies for the Kafka-API with WebAssembly | Alexander Gallego, Vectorized
 
ApacheCon BigData Europe 2015
ApacheCon BigData Europe 2015 ApacheCon BigData Europe 2015
ApacheCon BigData Europe 2015
 
Cloud storage: the right way OSS EU 2018
Cloud storage: the right way OSS EU 2018Cloud storage: the right way OSS EU 2018
Cloud storage: the right way OSS EU 2018
 
Nexmark with beam
Nexmark with beamNexmark with beam
Nexmark with beam
 
Kubernetes: My BFF
Kubernetes: My BFFKubernetes: My BFF
Kubernetes: My BFF
 
Big data nyu
Big data nyuBig data nyu
Big data nyu
 

Recently uploaded

Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 

Recently uploaded (20)

Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 

Attacking the Webkit heap [Or how to write Safari exploits]

  • 1. Attacking the WebKit Heap [Or how to write Safari exploits] Agustin Gianni + Sean Heelan 1 Immunity Inc.
  • 2. Introduction ● The use of Webkit has been increasing steadily ● According to Wikipedia¹, “WebKit powers Google Chrome and Apple's Safari, which in January 2011 had around 13% and 6% of browser market share respectively.” ● Webkit Heap is based on TCMalloc ● Source is available ● A custom heap allocator eases the development of cross platform exploits. ● They use the same one for every architecture/os ● A single exploit to rule them all. 2 ¹ http://en.wikipedia.org/wiki/WebKit
  • 3. Motivation ● Huge surface of attack ● Chrome ● Safari ● Android ● Kindle ● BlackBerry ● Security teletubbies use MacOSX ● Finally we can pwn Charlie Miller. 3
  • 4. Basics ● Custom allocator designed with speed in mind ● Generally, speed = less “security checks” ● Thread oriented design ● Each thread gets a thread-local cache. ● Each thread manages its own allocations. ● TCMalloc consists of three different allocators ● Hierarchically arranged – Higher up allocators serve the lower allocators with memory 4
  • 5. Allocator Hierarchy The PageHeap is closest to the system (highest), the ThreadCache is closest to the application (lowest) 5
  • 6. Allocation Sizes ● Chunk sizes are divided into kNumClasses ● WebKit has 68 Size Classes ● Allocations are rounded to the nearest size class ● Small chunks < 8 * PAGE_SIZE ● Allocated from the ThreadCache ● Large chunks > 8 * PAGE_SIZE ● Allocated from the PageHeap 6
  • 7. Spans ● Memory managed by TCMalloc is backed by a Span structure ● Sets of contiguous pages ● Can contain: ● Set of Small Chunks ● Large Chunk ● Span metadata is stored in the Span header which is allocated independently of the Span data 7
  • 8. ThreadCache ● Front-end allocator for each thread ● Contains an array of 68* free- lists ● Max. elements per free-list is 256* ● Allocates/Deallocates its memory from/to the CentralCache 8 * May differ between applications
  • 9. ThreadCache Freelist ● Each size class has its own ThreadCache FreeList ● The list_ attribute points to a singly linked list of free chunks 9
  • 10. Central-Cache ● Is an array of CentralFreeList's ● One per size class ● Obtains/Frees its memory from/to the PageHeap ● Splits a Span into smaller chunks ● Provides chunks to Thread-Caches ● Populates a given freelist ● Shared by all threads ● Locking is required 10
  • 11. Small Chunk Span Creation ● The Span objects list is used as the backend for FreeList creation for the CentralCache 11
  • 12. PageHeap ● Manages chunks of memory allocated from the system allocators ● Populated on the first call to PageHeap::New (and as required after this) ● This will trigger an allocation from the System allocator e.g. VirtualAlloc, mmap, sbrk ● Contains two free lists ● SpanList large – For chunks bigger than kMaxPages (256 in WebKit) ● SpanList free_[kMaxPages] 12 – First entry is 1 page, second entry 2 pages, and so on
  • 14. Small Chunk Allocation ● 68 different Size Classes * ● Sizes are rounded to the next size class ● 8 bytes is the minimum chunk size ● Allocations of size 0 are valid and rounded up to 8 ● Chunks will be obtained from one of the Thread-Cache free lists 14
  • 15. 15
  • 17. Large Chunk Allocation ● Handled by the PageHeap ● Allocations of more than 8*PAGE_SIZE are considered large allocations ● Page aligned ● Can trigger heap growth 17
  • 18. 18
  • 19. Chunk Deallocation ● Small chunks go directly to the ThreadCache free list. ● If the free list size exceeds 'kMaxFreeListLength' (256) some of the chunks are moved to the central- cache free list. ● If the combined size of the chunks exceeds 'kMaxThreadCacheSize' (2<<20) → GC ● Large chunks are inserted on the PageHeap ● Coalescing is triggered if neighboring chunks are also free. 19
  • 23. Security Mechanisms ● Back to 1995 ● All in all, there are no protections ● Lulz level increased comex: “The best way to avoid fighting with the heap is to find vulnerabilities that aren't heap overflows” ● Vendors must have felt sorry for us =D 23
  • 24. Resurrecting the Dead ● Freeing Invalid Pointers ● ThreadCache FreeList Overflow ● Insert to FreeList[X] ● Span Objects List Overflow ● Insert to Span Objects list ● Double Free ● Span Metadata Overflow ● Unlink ● Strawberry Pudding 24
  • 26. Freeing Invalid Pointers: The Bad ● If the pointer has a PageID (ptr >> kPageShift) that has not previously recorded as a Span then Bad Things may occur ● There is a PageMap object that maps from pointers to the correct Span containing information about the page they are within ● At the start of do_free TCMalloc attempts to retrieve the Span for the pointer using GetDescriptor(ptr >> kPageShift)
  • 27. Freeing Invalid Pointers: The Bad void* get(Number k) const { ASSERT(k >> BITS == 0); const Number i1 = k >> LEAF_BITS; const Number i2 = k & (LEAF_LENGTH-1); return root_[i1]->values[i2]; } ● root is an array of 32 pointers, initialized to 0 ● values is an array of 32768 pointers, initialized to 0 ● So ptr >> kPageShift must therefore have been inserted into the PageMap at some point or ...
  • 28. Freeing Invalid Pointers: The Bad ● .... Bad Things ● TCMalloc in WebKit will segfault on the NULL ptr dereference if root[i1] has not been alloc'd ● TCMalloc in Chrome detects the above condition and returns NULL ● In both, the values array is initialized to 0 so root_[i1]->values[i2] will return NULL if it has never been set previously ● Chrome again detects the NULL return value and will raise a SIGABRT or similar ● WebKit again will kamikaze on a NULL ptr soon after
  • 29. Freeing Invalid Pointers: The Bad ● Can be an inconvenience for other techniques ● Prevents us from free'ing Span header objects as they are allocated from a separate pool of memory ● We have to be careful not to trigger free calls on pointers we insert into free lists after they are handed to the application if they are not in a valid Span ● As a side note, the above two level array is used for 32-bit Linux/OS X, 32-bit Windows uses a flat array and 64-bit * uses a radix tree ● For our purposes the result is effectively the same
  • 30. Freeing Invalid Pointers: The Good ● We can however free any pointer that maps back to a valid Span ● Free'ing large objects (> kMaxSize [32768]) – Free of any address within the first page of the object free's the object – The other pages are not linked to any Span ● Free'ing small objects – Any address that falls within a span recorded as containing small objects can be free'd – If the Span contains multiple pages, each page is linked back to the correct Span header in the PageMap – The pointer will be added to the free list for size class of the Span it falls within
  • 31. Freeing Invalid Pointers: Large Objects PageMap 0xbc31 SPAN_0xbc31
  • 32. Freeing Invalid Pointers: Large Objects PageMap 0xbc31 SPAN_0xbc31 free(0xbc31ffff) :) free(0xbc32000) :(
  • 33. Freeing Invalid Pointers: Small Objects PageMap 0xbc31 SPAN_0xbc31 0xbc32 SPAN_0xbc31
  • 34. Freeing Invalid Pointers: Small Objects PageMap 0xbc31 SPAN_0xbc31 0xbc32 SPAN_0xbc31
  • 35. Summary ● For large objects free'ing any pointer within the first page free's the entire object ● For small objects free'ing any pointer within the Span free's that pointer ● This pointer does *NOT* have to be correctly aligned with the small chunks in that Span ● Therefore we can free part of an in-use chunk if we want ● Interesting vector when considering partial pointer overflows that are later free'd ● Free'ing anything else will end in Bad Things
  • 37. FreeList[X] Allocation ● ThreadCache FreeList[X] ● ThreadCache::Allocate (non empty freelist) SLL_Pop(void **list_) result = *list_; *list_ = **list_; return result; 37
  • 38. FreeList[X] Allocation SLL_Pop(void **list_) result = *list_; 38
  • 39. FreeList[X] Allocation SLL_Pop(void **list_) result = *list_; 39
  • 40. FreeList[X] Allocation SLL_Pop(void **list_) result = *list_; ● *list_ = **list_; return result; 40
  • 42. Insert to FreeList[X] overflow_func(result) 42
  • 44. Insert to FreeList[X] Allocate(FreeList[X]) 44
  • 45. Insert to FreeList[X] Allocate(FreeList[X]) ● This allocation returns an address we control to the application as valid heap memory ● Similar to the Insert to Lookaside technique in effect ● The new list head pointer is equal to the first DWORD of this region ● Caveat: Ensuring our overflow chunk is behind a chunk 45 in a free list may require some trickery...
  • 46. FreeList Creation ● Initial FreeList creation FetchFromCentralCache -> CentralFreeList::RemoveRange -> CentralFreeList::FetchFromSpansSafe ->CentralFreeList::Populate ● FetchFromSpans returns the chunks in address order but RemoveRange creates its list by prepending the chunks to the head ● The result – Chunks in a new FreeList are *behind* a newly allocated chunk 46
  • 47. FreeList Creation: Populate() ● Populate (re)sets the objects list of a span into address order 47
  • 48. FreeList Creation: RemoveRange() while (count < num) { void *t = FetchFromSpans(); if (!t) break; SLL_Push(&head, t); count++; } 48
  • 49. FreeList Creation: RemoveRange() while (count < num) { void *t = FetchFromSpans(); if (!t) break; SLL_Push(&head, t); count++; } ● FetchFromSpans pops from the head of the objects list and SLL_Push sets each as the 49 new free list head
  • 50. FreeList Creation ● Chunks are in reverse address order ● Created from the Span starting at 0xdcaa000 50
  • 51. Crafting the FreeList Layout ● Solution. ● Empty the FreeList and the first Span in the nonempty list – The next allocation will retrieve an ordered set of chunks via Populate etc. from one or more spans and create a FreeList. – Maximum FreeList lengths differ between browsers ● Safari – 256 ● Chrome – 8192 ● Rearrange the FreeList via malloc/free calls 51
  • 52. FreeList Corruption Notes ● ThreadCache::Allocate ● Gives the Insert to FreeList[X] technique – revives the 4-to-N byte overflow primitive ● Requires an overflow and at least two allocations – The first allocation to set the list head pointer from our corrupted chunk and the second to hand back this pointer to the application ● On allocation of the target pointer the [D|Q]WORD at this address becomes the FreeList head. – Need to be wary of further allocations if we cannot set this to 0x0 (End of List) or ensure that the allocation that returns the target pointer is the last pointer in the free list52 (length_ == 0 afterwards)
  • 53. FreeList Corruption Notes ● ThreadCache::Deallocate ● Generally functions correctly as chunks are prepended to the FreeList without walking it ● May trigger a call to ReleaseToCentralCache if FreeList[X]->length() > kMaxFreeListLength – This in turn causes the FreeList to be walked through PopRange. If our corrupted chunk is within batch_size elements from the head of the list the corrupted next pointer will be followed as will the DWORD at that address and so on up to batch_size times. ● If the memory we inserted into the FreeList is not within a page allocated by TCMalloc and gets free'd TM 53 then Very Bad Things happen (Process death)
  • 55. Span Objects List Corruption ● Hang on a sec... ● What about the span objects list? ● Also a singly linked list ● The head resides directly after the FreeList head when a new Span is created and partially returned as a FreeList 55
  • 56. Span Objects List Corruption ● What if we force this situation as before (empty free lists, trigger call to Populate() to reset Span object list) and overflow the first chunk returned instead of re-ordering for a FreeList overwrite 56
  • 57. Span Objects List Corruption result = malloc(size) 57
  • 58. Span Objects List Corruption result = malloc(size) overflow(result) 58
  • 59. Faking a FreeList ● At this point the old FreeList is untouched ● But... we have trashed the next pointer for the first chunk in the span objects list, ● The next time TCMalloc tries to build a new FreeList from this Span it will add the pointer we control to the list 59
  • 60. Faking a FreeList result = FetchFromSpans(); free_list.push(result) 60
  • 61. Faking a FreeList result = FetchFromSpans(); free_list.push(result) result = FetchFromSpans(); free_list.push(result) 61
  • 63. Faking a FreeList ● What happens next depends on the first [Q|D]word of the chunk at XXXX ● RemoveRange() will continue to use this Span to build the new free list until it reaches its limit or empties the Span ● Ideally we want it to be 0x0 so the Span is considered empty ● If not then this pointer will be followed and so on until a 0x0 is reached or enough chunks are retrieved 63
  • 64. Summary ● Overflow the head of a new free list (or any chunk before a chunk in a Span object list) and corrupt the next pointer of a chunk in a Span object list ● Empty the FreeList for that Span object size ● Trigger another allocation of this size, causing TCMalloc to create a new free list from the non-empty spans ● This allocation will follow our controlled pointer (presuming no other spans have been added to the nonempty span list) when building the free list ● The last chunk added is directly returned to the application ● Revives the 4-to-N byte overflow primitive, again 64
  • 66. Double Free ● TCMalloc has no protection against this type of error ● A double free of a pointer simply results in the same chunk being inserted into the FreeList twice ● A cycle in the FreeList is created if the chunk was not removed from the FreeList between frees (via allocation or returning to the CentralFreeList) ● Exploitation - obvious? ● Allocate twice. First as an object containing function pointers then as a controllable object e.g. a string 66
  • 67. Span Metadata Corruption: Hacking like it's 1995 67
  • 68. Hello Darkness my old friend static inline void DLL_Remove(Span* span) { span->prev->next = span->next; span->next->prev = span->prev; span->prev = NULL; span->next = NULL; } 68
  • 69. Overflowing Span Metadata ● New spans created for large allocations (>0x8000) and when the CentralFreeList runs out of chunks for smaller sizes ● Metadata for Spans is *not* stored inline with the pages representing the data ● Span headers are separate objects allocated from their own PageHeapAllocator (initially a 0x8000 byte pool created via sbrk, mmap or VirtualAlloc) 69
  • 70. Overflowing Span Metadata ● Overflowing Span metadata is not as convenient or as common as a FreeList or Span object list overwrite ● Requires the Span pool to be after whatever chunk we overflow with no unmapped pages in between ● May not be possible to ensure this and will depend on the OS and application embedding TCMalloc ● If we can force the required memory layout then this may allow for as many mirrored write-4s as we can overflow consecutive headers 70
  • 71. Required Memory Layout ● Where is the pool of Span headers ● If sbrk() is in use then we can force it to be after the chunks managed by TCMalloc ● If mmap or VirtualAlloc are used then it could be in any number of locations due to randomization 71
  • 72. Corrupting Span Metadata ● Presuming we have the correct memory layout, then what? ● We need an overflow large enough to cover the gap between our allocated chunk and the Span metadata 72
  • 74. Triggering the Unlink ● DLL_Remove is called in a number of places as part of Span management in the PageHeap and CentralFreeList ● The most straightforward path to DLL_Remove appears to be through do_free on a chunk larger than kMaxSize ● This retrieves the Span header and directly calls pageheap->Delete(span) ● This in turn can lead to a call of DLL_Remove on headers located before and after the header 'span' 74
  • 75. Strawberry Pudding <sinan> That's crap. I can make a strawberry pudding with so many prerequisites (In reference to some Windows heap technique) 75
  • 76. Strawberry Pudding ● There are countless ways to get interesting 'things' to happen in TCMalloc depending on what you can corrupt ● The Span metadata unlink is approaching 'strawberry pudding' territory ● Many other fun primitives can be found within the heap managment routines e.g. consider the refcount attribute of a Span in the context of a double free or corrupted FreeList ● Entirely unnecessary though =D No integrity checks, we can win trivially. 76
  • 78. Tools of the trade ● Immunity Debugger + GDB ● Immunity Debugger ● GDB (OS X + Android) ● Allows us to dump information about the state of the heap – Chunk size, etc. ● vmmap ● Accurate view of the state of a processes memory 78
  • 79. Heap Primitives ● We need three simple things ● To allocate memory ● To free memory ● To control the contents of allocated chunks ● Bonus ● Predict the heap layout 79
  • 80. Current Techniques ● Array Allocation ● No deterministic chunk free – It relies on the behavior of the garbage collector ● Control just the first [Q|D]WORD – We are screwed if our function pointer is offset+8 ● In newer releases of WebKit the array creation is deferred until the elements are assigned. – We need to force a reallocation by assigning each one of the elements of the array. ● Summing up, it is inconvenient 80
  • 81. Current Techniques ● Plain String allocation ● Rendered useless because of Ropes – Ropes are a non linear representation of strings – A string is represented by a tree of arrays of characters – Each one of the nodes can be reused by others strings ● Doing a substring on a string does not copy anything, just adds a new reference to the node/nodes – We need to find a way to build “linearized” strings ● More on this later 81
  • 82. Array Technique ● Control of the first [Q|D]word ● To allocate N bytes ... ● S = [Q|D]WORD_SIZE ● E = # of array elements ● C = Constant ● N=S*E+C ● E = (N – C) / S ● We need an array of “E” elements ● Example allocation ● Green: Controlled DWORD ● Yellow: Partially controlled DWORD 82
  • 83. Array Spray Example ● Allocate 'n' chunks ● Size 5*4 + 20 ● First DWORD is 0xcafecafe ● Second DWORD is 0x00000003 83
  • 84. Allocation Primitive ● Since there is no direct fastMalloc available ● We need to get creative ● First approach: ● Just build strings! ● The catch: ropes ● Second approach: ● Take a look at the source code ● Realize what 'unescape' does 84
  • 85. Unescape ● Unescape takes an encoded string and decodes it. ● To do so it needs the string in linear form (ie. No ropes) ● Appends each decoded char to a StringBuilder ● StringBuilder needs memory to hold the “unescaped” string. ● Potentially this gives us control over ● The size of the allocation ● The contents of the created chunks 85
  • 86. String Builder ● Uses a reference counted storage ● Manages memory allocation automatically ● 'unescape' will append the unescaped characters to the a StringBuilder ● If more memory is needed, appendUninitialized will allocate a new buffer ● Size of the new allocation: ● new_size = prev_size + (prev_size >> 2) + 1 ● The previous buffer will be freed if its reference count reaches zero. ● This will be always the case when using unescape 86
  • 87. Heap Spray ● String size is divided by two to take into account that each character is two bytes ● This will create 50 chunks of size 0x2c0 87
  • 88. Heap Spray ● Chunks are contiguous (ie. No metadata inbetween) ● Hence aligned to the object size ● The whole contents of the objects are controlled ● Allows to craft really complex objects 88
  • 90. Deallocation Primitive ● There is no direct 'fastFree' available ● Traditional approach: ● Loop until GC kicks in ● This is not reliable ● Our approach ● Abuse the behavior of the StringBuilder 90
  • 91. Deallocation Primitive ● Unescape appends decoded chars to the StringBuilder ● This will trigger a new allocation ● new_size = prev_size + (prev_size >> 2) + 1 –std::vector like allocation behavior ● The previous string will be immediately freed ● Unescape a string bigger than the one we need to free ● This will generate some heap noise ● Must be taken into account ● Most of the times it does not harm 91
  • 92. Allocation Trace ● We want to make a hole of size 0x79a ● The corresponding allocation size is 0x820 92
  • 93. Conclusions ● A simple heap leaves us with lots opportunities to exploit vulnerabilities ● Heap layout modification is easy again by using the “unescape” technique. ● No heap protections makes our life easy. 93
  • 94. Previous Work ● Mark Daniel ● Jake Honoroff ● Charlie Miller ● Skypher 94
  • 95. References ● http://goog-perftools.sourceforge.net/doc/tcmalloc.html ● https://trac.webkit.org/wiki/FastMalloc%20Glossary ● http://securityevaluators.com/files/papers/isewoot08.pdf 95
  • 96. Questions? The end THX Agustin Gianni Sean Heelan agustin@immunityinc.com sean@immunityinc.com 96 @agustingianni @seanhn