Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Once upon a free() Anonymous Phrack 57 Volume 9.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Once upon a free() Anonymous Phrack 57 Volume 9."— Presentation transcript:

1 1 Once upon a free() Anonymous Phrack 57 Volume 9

2 2 Outline Introduction Free() Algorithm Free() Source Code (Glibc 2.2.2) Data Structure Exploit Conclusion

3 3 Introduction Memory allocation Free a empty chunk Synthesize a fake chunk

4 4 Free() Algorithm free(0) has no effect. If the chunk was allocated via mmap, it is released via munmap(). If a returned chunk borders the current high end of memory, it is consolidated into the top, and if the total unused topmost memory exceeds the trim threshold, malloc_trim is called.

5 5 Free() Algorithm (Cont.) Other chunks are consolidated as they arrive, and placed in corresponding bins. (This includes the case of consolidating with the current `last_remainder').

6 6 Free() Source Code (Glibc 2.2.2) 因篇幅過大, 所以在介紹例子時, trace 給 大家看

7 7 Data Structure unsigned char * mem = malloc (16); chunk = (mem – 8) ;

8 8 Data Structure ( Cont. ) prev_size If the chunk before the current one is unused (it was free'd), it contains the length of the chunk before the chunk before the current one is used - 'prev_size' is part of the 'data' of it, saving four bytes

9 9 Data Structure ( Cont. ) size As you call malloc(), four is added to the size you pass to it and afterwards the size is padded up to the next double-word boundary.malloc(6)  malloc(16). malloc(0)  malloc(8). The lowest bit, called PREV_INUSE, indicates whether the previous chunk is used or not. The second least significant bit is set if the memory area is mmap'ed. The third least significant bit is unused.

10 10 Data Structure ( Cont. ) When free(mem), some check take place and memory is released. If its neighbour blocks are free, too(checked using the PREV_INUSE flag ), they will merge as large as passible.

11 11 Data Structure ( Cont. ) If a merge is not passible, the next chunk cleared PREV_INUSE bit.

12 12 Exploit #define unlink(P, BK, FD) { BK = P  bk; FD = P  fd; FD  bk = BK; BK  fd = FD; }

13 13 Exploit ( Cont. ) 上面的巨集其實就是執行 : *(next  fd + 12 ) = next  bk *(next  bk + 8 ) = next  fd They are not swapped, but the ‘ fd ’ and ‘ bk ’ pointers point to other chunks.

14 14 Exploit ( Cont. ) Pseudo attack method

15 15 Exploit ( Cont. ) Prepare to attack the least significant bit of 'size' has to be zero both, 'prev_size' and 'size' should be add- safe to a pointer that is read from. So either use very small values up to a few thousand, or - to avoid NUL bytes - use big values such as 0xfffffffc you have to ensure that at (chunk_boundary + size + 4) the lowest bit is zeroed out (0xfffffffc will work just fine)

16 16 Exploit ( Cont. ) fd = retloc – 12 bk = retaddr

17 17 Conclusion MallocGuard Sanity check like StackGuard. Performance For every protection there is an anti- protextion.

Download ppt "1 Once upon a free() Anonymous Phrack 57 Volume 9."

Similar presentations

Pointers.

Pointers.
Secure Coding in C and C++ Dynamic Memory Management

Secure Coding in C and C++ Dynamic Memory Management
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Carnegie Mellon 1 Dynamic Memory Allocation: Basic Concepts 15-213: Introduction to Computer Systems 17 th Lecture, Oct. 21, 2010 Instructors: Randy Bryant.

Carnegie Mellon 1 Dynamic Memory Allocation: Basic Concepts : Introduction to Computer Systems 17 th Lecture, Oct. 21, 2010 Instructors: Randy Bryant.
R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.

R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.
CS 450 Module R4. R4 Overview Due on March 11 th along with R3. R4 is a small yet critical part of the MPX system. In this module, you will add the functionality.

CS 450 Module R4. R4 Overview Due on March 11 th along with R3. R4 is a small yet critical part of the MPX system. In this module, you will add the functionality.
Carnegie Mellon 1 Dynamic Memory Allocation: Basic Concepts 15-213 / 18-213: Introduction to Computer Systems 18 th Lecture, March 24, 2015 Instructors:

Carnegie Mellon 1 Dynamic Memory Allocation: Basic Concepts / : Introduction to Computer Systems 18 th Lecture, March 24, 2015 Instructors:
19-21 October 2006 Smashing Heap by Free Simulation Sandip Chaudhari Acknowledgements Thanks to everyone in my Security Team.

19-21 October 2006 Smashing Heap by Free Simulation Sandip Chaudhari Acknowledgements Thanks to everyone in my Security Team.
Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.

Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.
Ghsong  2003 8.1 Operating System Concepts Chapter 8: Deadlocks System Model Deadlock Characterization Methods for Handling Deadlocks Deadlock Prevention.

Ghsong  Operating System Concepts Chapter 8: Deadlocks System Model Deadlock Characterization Methods for Handling Deadlocks Deadlock Prevention.
The Linux Kernel: Memory Management

The Linux Kernel: Memory Management
Lecture 10: Heap Management CS 540 GMU Spring 2009.

Lecture 10: Heap Management CS 540 GMU Spring 2009.
Scalable Synchronous Queues By William N. Scherer III, Doug Lea, and Michael L. Scott Presented by Ran Isenberg.

Scalable Synchronous Queues By William N. Scherer III, Doug Lea, and Michael L. Scott Presented by Ran Isenberg.
CS1061: C Programming Lecture 21: Dynamic Memory Allocation and Variations on struct A. O’Riordan, 2004, 2007 updated.

CS1061: C Programming Lecture 21: Dynamic Memory Allocation and Variations on struct A. O’Riordan, 2004, 2007 updated.
Spring 2005, Gülcihan Özdemir Dağ Lecture 12, Page 1 BIL104E: Introduction to Scientific and Engineering Computing, Spring 2005. Lecture 12 Outline 12.1Introduction.

Spring 2005, Gülcihan Özdemir Dağ Lecture 12, Page 1 BIL104E: Introduction to Scientific and Engineering Computing, Spring Lecture 12 Outline 12.1Introduction.
Memory Allocator Security Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit.

Memory Allocator Security Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit.
Security of Memory Allocators for C and C++ Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science.

Security of Memory Allocators for C and C++ Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science.
Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Heap Management.

Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Heap Management.
CPSC 388 – Compiler Design and Construction

CPSC 388 – Compiler Design and Construction
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.

Similar presentations

Ads by Google