Linux Heap Exploitation - live, online training

Monday, Aug 16, 2021 at 9:00 AM to Friday, Aug 20, 2021 at 5:00 PM AEST

Register Now

Registration

Sale ended

Student Partial Approval - $6,000.00

Note: GST is applicable to Australian students. If you are Australian, please email courses@infosectcbr.com.au to receive an invoice including GST. By purchasing this ticket you are indicating you are based outside of Australia.

Enter your discount code

  • Subtotal (excluding fees and discounts)
  • Fee
  • Total amount

1. Select Seats

2. Review and Proceed

Monday, Aug 16, 2021 at 9:00 AM to Friday, Aug 20, 2021 at 5:00 PM AEST

This 5 day course will give an in depth examination of a variety of current heap allocators in the context of exploit development, including glibc’s ptmalloc2, Chrome’s PartitionAlloc, JEMalloc, TCMalloc, embedded allocators such as avr-libc, newlib, or dietlibc, and those used in Linux Docker images such musl and uClibc. The lectures and labs will look at numerous ways to misuse each of these allocators in the latest versions of each.

To achieve these attacks we will have detailed examinations of the main heap structures including the thread caches, freelists, bins, malloc chunks, and arenas.

These attacks will be used to gain such primitives as:

  • Having malloc return an arbitrary pointer
  • Having allocated chunks overlap each other
  • Returning the same allocated memory
  • Having calloc return uninitialised memory
  • Leaking the libc base and other sensitive information

Attacks will be constructed for a variety of heap allocators, including:

  • Freelist poisoning
  • Overlapping chunks
  • Freeing attacker controlled pointers
  • Contemporary unlink attacks
  • Double frees

Course Objectives

To learn and demonstrate attacks on current heap allocators to gain exploitation primitives.

Training Outcomes

  • Demonstrate understanding of the heap data structures
  • Demonstrate debugging heap data structures
  • Demonstrate attacks against multiple heap allocators

Who Should Attend?

  • Developers
  • IT Professionals
  • Embedded Developers
  • OS Developers
  • Penetration Testers
  • Software Security Auditers/Analysts
  • Vulnerability Researchers
  • Software Exploitation Developers
  • Anyone else interested

 

What is required:

  • An internet connection
  • A browser
  • webcam & microphone (optional)
  • your favourite SSH tool
  • PDF viewer for notes & lab guide

What will be Provided?

  • Lab connection details distributed in class
  • Access to VMs with laboratories
  • InfoSect Swag & participation certificate (posted)

Participant Skillset

Students taking Linux Heap Exploitation should have an intermediate C Development background. They should have hands on experience in:

  • C Coding Experience
  • Python Coding Experience
  • Linux

InfoSect’s Code Review course is a suitable prerequisite.

Class Syllabus **

Day 1 Content

• Memory Corruption

• Control Flow Hijacking

• Heap Data Structures

• The TCache

• TCache Poisoning

• TCache Poisoning in glibc 2.27 - 2.31

• Pointer Guard in glibc

• Linux Kernel SLUB Allocator

• ISO Alloc

• Safe Linking in glibc 2.32

 

Day 2 Content

• Revisiting SLUB

• TCache Double Free

• Fast Bins

• Fast Bin Double Free

• Double Free Mitigation Bypass 

• Overlapping Chunks

• Calloc I

• Calloc II

  

Day 3 Content

• House of Force

• TCache House of Spirit

• Fast Bin Poisoning I

• Fast Bin Poisoning II

• Unsorted Bin LIBC Base Leak

  

Day 4 Content

• Scudo

• TCMalloc-1

• TCMalloc-2

• JEMalloc

• PartitionAlloc

  

Day 5 Content

• uClibc

• newlib

• dietlibc 

• musl

• avr-libc

** subject to changes

InfoSect

Dr Silvio Cesare is the Managing Director at InfoSect. He has worked in technical roles and been involved in computer security for over 20 years. This period includes time in Silicon Valley in the USA, France, and Australia. He has worked commercially in both defensive and offensive roles within engineering. He has reported hundreds of software bugs and vulnerabilities in Operating Systems kernels. He was previously the Director for Education and Training at UNSW Canberra Cyber, ensuring quality content and delivery. In his early career, he was the scanner architect and a C developer at Qualys. He is also the co-founder of BSides Canberra - Australia’s largest cyber security conference. He has a Ph.D. from Deakin University and has published within industry and academia, is a 4-time Black Hat speaker, gone through academic research commercialisation, and authored a book (Software Similarity and Classification, published by Springer).

Contact the Organizer