Presented at
Black Hat USA 2016,
Aug. 4, 2016, 9:45 a.m.
(50 minutes).
Introduced in Windows 10, Segment Heap is the native heap used in Windows app (formerly called Modern/Metro app) processes and certain system processes. This heap is an addition to the well-researched and widely documented NT heap that is still used in traditional application processes and in certain types of allocations in Windows app processes.
One important aspect of the Segment Heap is that it is enabled for Microsoft Edge which means that components/dependencies running in Edge that do not use a custom heap manager will use the Segment Heap. Therefore, reliably exploiting memory corruption vulnerabilities in these Edge components/dependencies would require some level of understanding of the Segment Heap.
In this presentation, I'll discuss the data structures, algorithms and security mechanisms of the Segment Heap. Knowledge of the Segment Heap is also applied by discussing and demonstrating how a memory corruption vulnerability in the Microsoft WinRT PDF library (CVE-2016-0117) is used to create a reliable write primitive in the context of the Edge content process.
Presenters:
-
Mark Vincent Yason
- IBM
Mark Vincent Yason is a security researcher on IBM's X-Force Advanced Research team. Mark's current focus areas are browser-based vulnerability/exploit research, browser exploit kits research, and advanced malware research. He authored the papers 'The Art of Unpacking,' 'Diving Into IE 10's Enhanced Protected Mode Sandbox,' and 'Understanding the Attack Surface and Attack Resilience of Project Spartan's New EdgeHTML Rendering Engine'. He co-authored the papers 'Reversing C++,' 'Playing In The Reader X Sandbox,' and 'Digging Deep Into The Flash Sandboxes', all of which were previously presented at Black Hat.
Links:
Similar Presentations: