Heap Layout Optimisation for Exploitation

Presented at Black Hat Europe 2017, Dec. 7, 2017, 11:30 a.m. (60 minutes).

Heap-based overflows and underflows are a common vulnerability in software built in C and C++. When leveraging such a vulnerability as part of an exploit, an attacker will usually try to position the chunk which is the source of the overflow or underflow relative to a specific victim chunk. The less collateral data between the source chunk and the victim chunk, the more optimal the layout. This is typically a problem that is solved manually and requires an in-depth understanding of the heap allocator in use and how the target application interacts with it.

In this talk, we will present an automatic, blackbox, approach to heap layout optimisation. Our algorithm utilises pseudo-random search over the interactions with the allocator which may be triggered via a target application. Crucially, no modification or analysis of the allocator itself is required. Our evaluation demonstrates that this is a feasible approach on both free-list based allocators (e.g. dlmalloc) and slab based allocators (e.g. jemalloc), using heap starting states and allocator interaction sequences from a number of real world applications, including PHP, Python and Ruby.

We will also present a proof-of-concept implementation versus PHP which demonstrates that an existing fuzzer can be repurposed to perform this search. The proof-of-concept takes as input a trigger for a known vulnerability. It figures out how to interact with the allocator via PHP's API, as well as how to allocate 'useful' targets for corruption, e.g. data structures containing pointers. It produces a new PHP script as output which triggers the original vulnerability but now corrupts a specific victim chunk which it has selected. The PoC demonstrates that our approach can significantly reduce the amount of time and manual effort required to go from a crashing input to a read, write or execute primitive.


Presenters:

  • Sean Heelan - Researcher, Vertex RE / University of Oxford
    Sean Heelan is a security researcher at Vertex RE and currently pursuing a PhD at the University of Oxford. Previously he founded Persistence Labs, a reverse engineering tool development company, and worked as a security researcher at Immunity Inc. His primary interest is in developing techniques for automated program analysis, with a focus on vulnerability detection, reverse engineering and exploitation.

Links:

Similar Presentations: