In the Zone: OS X Heap Exploitation

Presented at Summercon 2016, July 16, 2016, 3 p.m. (50 minutes).

The most recent literature on exploiting the OS X heap was written in Phrack in 2005. Though the same region allocation scheme is still in use, the implementation has changed significantly. I am going to dive into how the OS X heap is laid out in memory, what is unique about it's region-based allocator, and how this changes common exploitation techniques.

We will also be releasing tooling that works with LLDB to further enhance the users ability to look into the current state of the heap and query the various zones for information. After an overview of the heap and how it is laid out we will present a case study of real world heap exploitation based on vulnerabilities found at Cisco Talos.

Presenters:

• Tyler Bohan
  Tyler Bohan is a Senior Research Engineer with the Cisco Talos Vulndev Team specializing in vulnerability research and exploitation. Tyler is the creator of MacDBG, a general purpose debugging framework for OSX. Previous employers include BAE Systems and Trail of Bits. @1blankwall1

Links:

• https://www.summercon.org/archives/2016/presentations.html#osx-heap

Similar Presentations:

• Black Hat USA 2011 / Heap Spray Detection with Heap Inspector
• Black Hat USA 2010 / Understanding the Low-Fragmentation Heap: From Allocation to Exploitation
• DEF CON 31 (2023) / House of Heap Exploitation Workshop