This 5 day course will give an in depth examination of a variety of current heap allocators in the context of exploit development, including glibc’s ptmalloc2, Chrome’s PartitionAlloc, JEMalloc, TCMalloc, embedded allocators such as avr-libc, newlib, or dietlibc, and those used in Linux Docker images such musl and uClibc. The lectures and labs will look at numerous ways to misuse each of these allocators in the latest versions of each.
To achieve these attacks we will have detailed examinations of the main heap structures including the thread caches, freelists, bins, malloc chunks, and arenas.
These attacks will be used to gain such primitives as:
- Having malloc return an arbitrary pointer
- Having allocated chunks overlap each other
- Returning the same allocated memory
- Having calloc return uninitialised memory
- Leaking the libc base and other sensitive information
Attacks will be constructed for a variety of heap allocators, including:
- Freelist poisoning
- Overlapping chunks
- Freeing attacker controlled pointers
- Contemporary unlink attacks
- Double frees
Course Objectives
To learn and demonstrate attacks on current heap allocators to gain exploitation primitives.
Training Outcomes
- Demonstrate understanding of the heap data structures
- Demonstrate debugging heap data structures
- Demonstrate attacks against multiple heap allocators
Who Should Attend?
- Developers
- IT Professionals
- Embedded Developers
- OS Developers
- Penetration Testers
- Software Security Auditers/Analysts
- Vulnerability Researchers
- Software Exploitation Developers
- Anyone else interested
What to Bring
- All materials are provided by InfoSect
What will be Provided?
- Laptops for class use
- Coil bound lecture materials
- Catering provided.
- Access to VMs with laboratories
- InfoSect Swag
Participant Skillset
Students taking Linux Heap Exploitation should have an intermediate C Development background. They should have hands on experience in:
- C Coding Experience
- Python Coding Experience
- Linux
InfoSect’s Code Review course is a suitable prerequisite.
Class Syllabus **
Day 1
Heap Misuse
Control Flow Hijacking
Heap Data Structures
Debugging
TCache Poisoning
TCache Double Free
Fast Bin Double Free
Day 2
Overlapping Chunk
Calloc I
Calloc II
House of Force
Double Free Mitigation Bypass
Day 3
TCache House of Spirit
Fast Bin Poisoning I
Fast Bin Poisoning II
Unsorted Bin Libc Base Leak
Day 4
TCMalloc
Freelist Poisoning
Double Frees
Overlapping Chunks
JEMalloc
Overlapping Chunks
PartitionAlloc
Freelist Poisoning
Double Frees
Overlapping Chunks
Day 5
uClibc
Unlink
newlib
Freelist Poisoning
House of Spirit
dietlibc
Freelist Poisoning
House of Spirit
musl
Freelist Poisoning
avr-libc
Freelist Poisoning
House of Spirit
Overlapping Chunks
** subject to changes
