heap exploitation heap primitives
play

Heap Exploitation Heap Primitives malloc free calloc - PowerPoint PPT Presentation

Sep 07, 2022 •203 likes •406 views

Heap Exploitation Heap Primitives malloc free calloc Organization of chunks Bins Fast Singly linked list 16, 24, 32, 40, 48, 56, 64, 72, 80 and 88 bytes Small Doubly linked list 16, 24, ... , 504 bytes

  1. Heap Exploitation

  3. Heap Primitives • malloc • free • calloc

  7. Organization of chunks • Bins • Fast • Singly linked list • 16, 24, 32, 40, 48, 56, 64, 72, 80 and 88 bytes • Small • Doubly linked list • 16, 24, ... , 504 bytes • Large • Doubly linked lists • Different sizes • Sorted in decreasing order • Unsorted

  8. Overview of Algorithms for malloc and free • Malloc • Free

  9. Examples of exploits • LIFO Experiment • Use after free • Unlink

  10. FIFO Experiment

  11. Example of UAF Heap exploit Indian Institute of Science 11

  12. Example of UAF Heap exploit Indian Institute of Science 12

  13. Example of UAF Heap exploit Indian Institute of Science 13

  14. Example of UAF Heap exploit Indian Institute of Science 14

  15. Example of UAF Heap exploit Indian Institute of Science 15

  16. Example of UnLink Exploit

  17. Example of UnLink Exploit

  19. Current Research: Attackers Perspective • Automatic manipulation • Dynamic and static analysis • Understanding allocators • Chunk placement • Manual Exploitation: Exploit writing

Recommend

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu

Automatic Techniques to Systematically Discover New Heap Exploitation Primitives Ins Insu Yu Yun , Dhaval Kapil, and Taesoo Kim Georgia Institute of Technology 1 Heap vulnerabilities are the most common, yet serious security issues. %

387 views • 34 slides
PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

ERIE COUNTY DEPARTMENT OF SOCIAL SERVICES Program Overview PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low income households to reduce energy expense s. HEAP PROGRAMS Regular HEAP Available

531 views • 14 slides
Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure

Understanding the heap by breaking it A case study of the heap as a persistent data structure through non-traditional exploitation techniques Justin N. Ferguson // BH2007 The heap, what is it? Globally scoped data structure

906 views • 58 slides
Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A) for i = floor( A.length/2 ) to 1 Max-Heapify(A, i) Build-Max-Heap Red part is already Heapified Build-Max-Heap Correctness: Base: Each alone

429 views • 23 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The binomial heap allows for efficient union, which can not be done efficiently in the binary heap. The extra cost paid is the minimum operation, which

560 views • 24 slides
When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's first hire in July, 2013. Previously an engineer at Palantir. Studied Math & CS at Stanford. What we'll talk about: 1. What is Heap? 2.

695 views • 47 slides
heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O ( n ) analysis via picture (learn) or using summations (know result) data structures and algorithms building a heap one-by-one in O ( n log n ) 2020

672 views • 7 slides
Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7

Initializing A Max Heap Initializing A Max Heap 1 1 3 3 2 2 4 5 6 7 4 5 6 7 8 9 7 7 11 8 8 9 7 7 11 8 10 10 input array = [-, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11] Start at rightmost array position that has a child.

522 views • 9 slides
In the Beginning was the Word Stephen Heap In the Beginning was the Word

In the Beginning was the Word Stephen Heap In the Beginning was the Word

In the Beginning was the Word Stephen Heap In the Beginning was the Word s.heap@uq.edu.au Stephen Heap s.heap@uq.edu.au Reading skill is based on three kinds of knowledge A fluent reader must have knowledge of: Language : word

480 views • 46 slides
A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three

A heap, a stack, a bottle and a rack The Stack Canary Birds The heap Answer: The first three segments are: code , read-only data and global data for the running process gurka. Then there is a segment for the heap . The segment marked with

399 views • 10 slides
Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why

Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why

Fibonacci Heap Group Paradox December 21, 2016 Contents 1. Introduction 2. Operations 3. Why it called Fibonacci (the proof) Priority Queue in Dijkstra Fibonacci Heap Operation Binary Heap Fibonacci Heap Find-Min O (1) O (1) Insert O (

465 views • 21 slides
Binding the Daemon FreeBSD Kernel Stack and Heap Exploitation Patroklos (argp) Argyroudis

Binding the Daemon FreeBSD Kernel Stack and Heap Exploitation Patroklos (argp) Argyroudis

Binding the Daemon FreeBSD Kernel Stack and Heap Exploitation Patroklos (argp) Argyroudis argp@census-labs.com Outline Introduction Why target the kernel? Why target FreeBSD? Background Related work Exploitation

1.55k views • 56 slides
6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

6.006- Introduction to Priority Queue Algorithms A data structure implementing a set S of

Heap Menu Implementation of a priority queue Priority Queues An array, visualized as a nearly complete binary tree Max Heap Property: The key of a node is than the keys of Heaps its children (Min Heap defined

202 views • 7 slides
Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of

Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of

Priority Queue / Heap Stores ( key,data ) pairs (like dictionary) But, different set of operations: Initialize Heap : creates new empty heap Is Empty : returns true if heap is empty Insert ( key,data ): inserts ( key,data

956 views • 51 slides
Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 ,

Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 ,

Say Goodbye to Off-heap Caches! On-heap Caches Using Memory-Mapped I/O Iacovos G. Kolokasis 1 , Anastasios Papagiannis 1 , Foivos Zakkak 2 , Polyvios Pratikakis 1 , and Angelos Bilas 1 1 University of Crete & Foundation of Research and

457 views • 19 slides
CS 241 Data Organization Heapsort February 15, 2018 Heapsort algorithm Make heap While

CS 241 Data Organization Heapsort February 15, 2018 Heapsort algorithm Make heap While

CS 241 Data Organization Heapsort February 15, 2018 Heapsort algorithm Make heap While heap is not empty Remove largest item Restore heap property What is a heap? Complete Binary Tree Binary Tree: Each node has at most 2

142 views • 12 slides
Week 14 - Monday What did we talk about last time? Heap implementation Heap sort

Week 14 - Monday What did we talk about last time? Heap implementation Heap sort

Week 14 - Monday What did we talk about last time? Heap implementation Heap sort Lab hours Wednesdays at 5 p.m. in The Point 113 Saturdays at noon in The Point 113 (Cancelled this Saturday for Thanksgiving!) CS Club

451 views • 24 slides
The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601.

The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601.

The beautiful binary heap. Weiss has a chapter on the binary heap - chapter 20, pp581-601. Its a very neat implementation of the binary tree idea, using an array. We can use the binary heap to sort an array, and we can use it to make a

304 views • 15 slides
Heap Heap Sometimes called the free store Dynamically

Heap Heap Sometimes called the free store Dynamically

Heap Heap Sometimes called the free store Dynamically allocated area of memory Stores global variables Stores large variables Stores dynamic

899 views • 42 slides
Fragment the Heap! ...let the compiler / VM implementors deal with fragmentation! Dr. Fridtjof

Fragment the Heap! ...let the compiler / VM implementors deal with fragmentation! Dr. Fridtjof

Fragment the Heap! ...let the compiler / VM implementors deal with fragmentation! Dr. Fridtjof Siebert CTO, aicas ISMM 2008, Tucson, 8. June 2008 Fragment the Heap! Split Heap in small fixed-size blocks Allocate only these blocks smaller

466 views • 9 slides
Project Heapbleed Thoughts on heap exploitation abstraction (WIP) ZeroNights 2014 PATROKLOS

Project Heapbleed Thoughts on heap exploitation abstraction (WIP) ZeroNights 2014 PATROKLOS

Project Heapbleed Thoughts on heap exploitation abstraction (WIP) ZeroNights 2014 PATROKLOS ARGYROUDIS CENSUS S.A. argp@census-labs.com www.census-labs.com Who am I Researcher at CENSUS S.A. Vulnerability research, reverse

572 views • 44 slides
Is the Heap Manager Important to Many Cores? Ye Liu, Shinpei Kato, Masato Edahiro Outline

Is the Heap Manager Important to Many Cores? Ye Liu, Shinpei Kato, Masato Edahiro Outline

Is the Heap Manager Important to Many Cores? Ye Liu, Shinpei Kato, Masato Edahiro Outline Background Overview of the heap manager Why do we focus on the heap manager on many cores? Experimental platforms Heap Manager

384 views • 21 slides
CS4102 Algorithms Fall 2018 Warm up Build a Max Heap from the following Elements: 4, 15, 22, 6,

CS4102 Algorithms Fall 2018 Warm up Build a Max Heap from the following Elements: 4, 15, 22, 6,

CS4102 Algorithms Fall 2018 Warm up Build a Max Heap from the following Elements: 4, 15, 22, 6, 18, 30, 14, 21 1 Heap Heap Property: Each node must be larger than its children 30 1 22 21 3 2 4 14 19 15 6 7 4 5 6 30 21 22

628 views • 48 slides

More recommend