Previous work on kernel heap exploitation for iOS or Mac OS X has only covered attacking the freelist of the kernel heap zone allocator. It was however never discussed before what other kernel heap memory allocators exist or what kernel heap allocation functions wrap these allocators. Attacks against further heap meta data or attacking kernel application data has not been discussed before.
This talk will introduce the audience to the big picture of memory allocators in the iOS kernel heap. It will be shown how attacks can be carried out against other meta data stored by other allocators or wrappers. It will be shown how memory allocated into different zones or allocated by different allocators is positioned to each other and if cross attacks are possible. It will be shown how overwriting C++ objects inside the kernel can result in arbitrary code execution. Finally this talk will leverage this to present a generic technique that allows to control the iOS kernel heap in a similar fashion as JavaScript is used in today's browser exploits to control the user space heap.