1 Once upon a free() Anonymous Phrack 57 Volume 9.

Slides:



Advertisements
Similar presentations
Pointers.
Advertisements

Secure Coding in C and C++ Dynamic Memory Management
Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Carnegie Mellon 1 Dynamic Memory Allocation: Basic Concepts : Introduction to Computer Systems 17 th Lecture, Oct. 21, 2010 Instructors: Randy Bryant.
R4 Dynamically loading processes. Overview R4 is closely related to R3, much of what you have written for R3 applies to R4 In R3, we executed procedures.
CS 450 Module R4. R4 Overview Due on March 11 th along with R3. R4 is a small yet critical part of the MPX system. In this module, you will add the functionality.
Carnegie Mellon 1 Dynamic Memory Allocation: Basic Concepts / : Introduction to Computer Systems 18 th Lecture, March 24, 2015 Instructors:
19-21 October 2006 Smashing Heap by Free Simulation Sandip Chaudhari Acknowledgements Thanks to everyone in my Security Team.
Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.
Ghsong  Operating System Concepts Chapter 8: Deadlocks System Model Deadlock Characterization Methods for Handling Deadlocks Deadlock Prevention.
The Linux Kernel: Memory Management
Lecture 10: Heap Management CS 540 GMU Spring 2009.
Scalable Synchronous Queues By William N. Scherer III, Doug Lea, and Michael L. Scott Presented by Ran Isenberg.
CS1061: C Programming Lecture 21: Dynamic Memory Allocation and Variations on struct A. O’Riordan, 2004, 2007 updated.
Spring 2005, Gülcihan Özdemir Dağ Lecture 12, Page 1 BIL104E: Introduction to Scientific and Engineering Computing, Spring Lecture 12 Outline 12.1Introduction.
Memory Allocator Security Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit.
Security of Memory Allocators for C and C++ Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science.
Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Heap Management.
CPSC 388 – Compiler Design and Construction
Chapter 8 Runtime Support. How program structures are implemented in a computer memory? The evolution of programming language design has led to the creation.
Read vs. mmap Tan Li. Man mmap #include void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset); int munmap(void *start, size_t.
MInix memory management1 Minix Memory Management. Contiguous memory management. No swapping. A list of holes sorted in memory address order is maintained.
1 Optimizing Malloc and Free Professor Jennifer Rexford
Intro to Computer Architecture
Enhancements to the Linux Kernel for Blocking Buffer Overflow Based Attacks Massimo Bernaschi Emanuele Gabrielli Luigi V. Mancini.
Pointers Applications
Memory Allocation CS Introduction to Operating Systems.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Real-Time Concepts for Embedded Systems Author: Qing Li with Caroline Yao ISBN: CMPBooks.
Programming III SPRING 2015 School of Computer and Information Sciences Francisco R. Ortega, Ph.D. McKnight Fellow and GAANN Fellow LECTURE #6C Pointers,
ECE 103 Engineering Programming Chapter 47 Dynamic Memory Alocation Herbert G. Mayer, PSU CS Status 6/4/2014 Initial content copied verbatim from ECE 103.
Computer Security 2015 – Ymir Vigfusson. 2  We have talked extensively about stack overflows  But those are not as common anymore  Heap overflows 
1 CMSC421: Principles of Operating Systems Nilanjan Banerjee Principles of Operating Systems Acknowledgments: Some of the slides are adapted from Prof.
UFS003C3 Lecture 15 Data type in C & C++ Using the STL.
Pointers in C Computer Organization I 1 August 2009 © McQuain, Feng & Ribbens Memory and Addresses Memory is just a sequence of byte-sized.
Computer Security 2014 – Ymir Vigfusson
CS61C Midterm 1 Review Summer 2004 Pooya Pakzad Ben Huang Navtej Sadhal.
+ Dynamic memory allocation. + Introduction We often face situations in programming where the data is dynamics in nature. Consider a list of customers.
Computer Graphics 3 Lecture 1: Introduction to C/C++ Programming Benjamin Mora 1 University of Wales Swansea Pr. Min Chen Dr. Benjamin Mora.
Operating Systems ECE344 Ashvin Goel ECE University of Toronto Memory Management Overview.
4P13 Week 12 Talking Points Device Drivers 1.Auto-configuration and initialization routines 2.Routines for servicing I/O requests (the top half)
Worm enabling exploits Cyber Security Lab Spring ‘10.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Operating Systems Lecture 9 Introduction to Paging Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of.
Memory Management One of the most important OS jobs.
CSE 220 – C Programming malloc, calloc, realloc.
Heap Overflow Attacks.
Stack and Heap Memory Stack resident variables include:
Segmentation COMP 755.
CSC 495/583 Topics of Software Security Heap Exploitation (2)
CSC 322 Operating Systems Concepts Lecture - 12: by
CSC 495/583 Topics of Software Security Heap Exploitation
Dynamic Memory Allocation
Clear1 and Clear2 clear1(int array[], int size) { int i; for (i = 0; i < size; i += 1) array[i] = 0; } clear2(int *array, int size) {
Lecture 26: Memory Management - Swapping
Circular Buffers, Linked Lists
Optimizing Malloc and Free
CS Introduction to Operating Systems
CSC215 Lecture Memory Management.
Dynamic Memory Allocation
Software Security Lesson Introduction
Memory Management Overview
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
Optimizing Dynamic Memory Management
The future of Software Security Dr. Si Chen
CSE 451 Autumn 2003 November 13 Section.
8051 ASSEMBLY LANGUAGE PROGRAMMING
Chapter 10-1: Dynamic Memory Allocation
SPL – PS2 C++ Memory Handling.
Lecture 26: Memory Management - Swapping
Presentation transcript:

1 Once upon a free() Anonymous Phrack 57 Volume 9

2 Outline Introduction Free() Algorithm Free() Source Code (Glibc 2.2.2) Data Structure Exploit Conclusion

3 Introduction Memory allocation Free a empty chunk Synthesize a fake chunk

4 Free() Algorithm free(0) has no effect. If the chunk was allocated via mmap, it is released via munmap(). If a returned chunk borders the current high end of memory, it is consolidated into the top, and if the total unused topmost memory exceeds the trim threshold, malloc_trim is called.

5 Free() Algorithm (Cont.) Other chunks are consolidated as they arrive, and placed in corresponding bins. (This includes the case of consolidating with the current `last_remainder').

6 Free() Source Code (Glibc 2.2.2) 因篇幅過大, 所以在介紹例子時, trace 給 大家看

7 Data Structure unsigned char * mem = malloc (16); chunk = (mem – 8) ;

8 Data Structure ( Cont. ) prev_size If the chunk before the current one is unused (it was free'd), it contains the length of the chunk before the chunk before the current one is used - 'prev_size' is part of the 'data' of it, saving four bytes

9 Data Structure ( Cont. ) size As you call malloc(), four is added to the size you pass to it and afterwards the size is padded up to the next double-word boundary.malloc(6)  malloc(16). malloc(0)  malloc(8). The lowest bit, called PREV_INUSE, indicates whether the previous chunk is used or not. The second least significant bit is set if the memory area is mmap'ed. The third least significant bit is unused.

10 Data Structure ( Cont. ) When free(mem), some check take place and memory is released. If its neighbour blocks are free, too(checked using the PREV_INUSE flag ), they will merge as large as passible.

11 Data Structure ( Cont. ) If a merge is not passible, the next chunk cleared PREV_INUSE bit.

12 Exploit #define unlink(P, BK, FD) { BK = P  bk; FD = P  fd; FD  bk = BK; BK  fd = FD; }

13 Exploit ( Cont. ) 上面的巨集其實就是執行 : *(next  fd + 12 ) = next  bk *(next  bk + 8 ) = next  fd They are not swapped, but the ‘ fd ’ and ‘ bk ’ pointers point to other chunks.

14 Exploit ( Cont. ) Pseudo attack method

15 Exploit ( Cont. ) Prepare to attack the least significant bit of 'size' has to be zero both, 'prev_size' and 'size' should be add- safe to a pointer that is read from. So either use very small values up to a few thousand, or - to avoid NUL bytes - use big values such as 0xfffffffc you have to ensure that at (chunk_boundary + size + 4) the lowest bit is zeroed out (0xfffffffc will work just fine)

16 Exploit ( Cont. ) fd = retloc – 12 bk = retaddr

17 Conclusion MallocGuard Sanity check like StackGuard. Performance For every protection there is an anti- protextion.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.