Heap-based overflows and underflows are a common vulnerability in software built in C and C++. When leveraging such a vulnerability as part of an exploit, an attacker will usually try to position the chunk which is the source of the overflow or underflow relative to a specific victim chunk. The less collateral data between the source chunk and the victim chunk, the more optimal the layout. This is typically a problem that is solved manually and requires an in-depth understanding of the heap allocator in use and how the target application interacts with it.
In this talk, we will present an automatic, blackbox, approach to heap layout optimisation. Our algorithm utilises pseudo-random search over the interactions with the allocator which may be triggered via a target application. Crucially, no modification or analysis of the allocator itself is required. Our evaluation demonstrates that this is a feasible approach on both free-list based allocators (e.g. dlmalloc) and slab based allocators (e.g. jemalloc), using heap starting states and allocator interaction sequences from a number of real world applications, including PHP, Python and Ruby.
We will also present a proof-of-concept implementation versus PHP which demonstrates that an existing fuzzer can be repurposed to perform this search. The proof-of-concept takes as input a trigger for a known vulnerability. It figures out how to interact with the allocator via PHP's API, as well as how to allocate 'useful' targets for corruption, e.g. data structures containing pointers. It produces a new PHP script as output which triggers the original vulnerability but now corrupts a specific victim chunk which it has selected. The PoC demonstrates that our approach can significantly reduce the amount of time and manual effort required to go from a crashing input to a read, write or execute primitive.