windows 8 heap internals
play

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap - PowerPoint PPT Presentation

Aug 27, 2023 •404 likes •1.33k views

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

  1. Windows 8 Heap Internals Windows 8 Heap Internals

  2. Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals

  3. Who • Chris Valasek (@nudehaberdasher) – Sr. Research Scientist – Coverity • Tarjei Mandt (@kernelpool) – Vulnerability Researcher – Azimuth Security Windows 8 Heap Internals

  4. What • Windows 8 Release Preview • Heap manager specifics • Exploitation techniques for Windows 8 heap • Prerequisite reading – “Understanding the LFH” • http://illmatics.com/Understanding_the_LFH.pdf • http://illmatics.com/Understanding_the_LFH_Slides.pdf – “Modern Kernel Pool Exploitation” • http://www.mista.nu/research/kernelpool_infiltrate2011.pdf – Kostya, Hawkes, Halvar, McDonald, Moore, etc Windows 8 Heap Internals

  5. Why • Learn how the Heap Manager and Kernel Pool Allocator work (in detail) – PLEASE read the paper if you want full details, this presentation just touches the surface • Heap exploits that worked on Windows 7 will most likely NOT work on Windows 8 • Let’s find out why Windows 8 Heap Internals

  6. Windows 8 Heap Internals User Land Back ‐ End Windows 8 Heap Internals

  7. Windows 8 Back ‐ end • Slightly modified version of the Windows 7 back ‐ end [ RtlpAllocateHeap() ] • Mitigations 1. Freeing of _HEAP structures is prohibited (R.I.P Ben Hawkes tech) 2. Virtually allocated chunks now have randomized locality/size Windows 8 Heap Internals

  8. Windows 8 Back ‐ end (cont.) Windows 8 Heap Internals

  9. Back ‐ end Mitigation I • Prevents the freeing and subsequent allocation of a _HEAP structure in RtlpFreeHeap (). – https://www.lateralsecurity.com/downloads/hawkes_ruxcon ‐ nov ‐ 2008.pdf – Although the direct overwriting can still occur, it is unlikely • Same holds true for RtlpReAllocateHeap () Windows 8 Heap Internals

  10. Back ‐ end Mitigation I (cont.) RtlpFreeHeap(_HEAP *heap, DWORD flags, void *header, void *mem) { . . . if(heap == header) { RtlpLogHeapFailure(9, heap, header, 0, 0, 0); return 0; } . . . } Windows 8 Heap Internals

  11. Back ‐ end Mitigation II • Chunk that exceeds the VirtualMemoryThreshold will be serviced by NtAllocateVirtualMemory () • Previously, the allocations occurred with a potential for semi ‐ predictable locations and sizes • Changes have been made to add a random offset to the base address when allocating large chunks in RtlpAllocateHeap () • Hope to encapsulate virtual chunk in inaccessible memory (MEM_RESERVE) • Note : If safe ‐ linking fails the application will only terminate if HeapTerminateOnCorruption has been set via HeapSetInformation (), otherwise the chunk is NOT linked in but still RETURNED Windows 8 Heap Internals

  12. Back ‐ end Mitigation II //VirtualMemoryThreshold set to 0x7F000 in CreateHeap() int request_size = Round(request_size) int block_size = request_size / 8; if(block_size > heap ‐ >VirtualMemoryThreshold) { int rand_offset = (RtlpHeapGenerateRandomValue32() & 0xF) << 12; request_size += 24; int region_size = request_size + 0x1000 + rand_offset; void *virtual_base, *virtual_chunk; int protect = PAGE_READWRITE; if(heap ‐ >flags & 0x40000) protect = PAGE_EXECUTE_READWRITE; //Attempt to reserve region_size bytes of memory if(NtAllocateVirtualMemory( ‐ 1, &virtual_base, 0, &region_size, MEM_RESERVE, protect) < 0) goto cleanup_and_return; virtual_chunk = virtual_base + rand_offset; if(NtAllocateVirtualMemory( ‐ 1, &virtual_chunk, 0, &request_size, MEM_COMMIT, protect) < 0) goto cleanup_and_return; //XXX Set headers and safe link ‐ in return virtual_chunk; } Windows 8 Heap Internals

  13. Windows 8 Heap Internals User Land Front End Windows 8 Heap Internals

  14. Windows 8 Front ‐ End • Major changes to allocation and free algorithms and moderate changes to integral data structures • RtlpLowFragHeapAllocFromContext () will not be a “matched function” by BinDiff between Windows 7 and Windows 8 • Mostly the same data structures but offsets and members have changed a bit Windows 8 Heap Internals

  15. Windows 8 Front ‐ End Mitigations • Mitigations 1. Front ‐ End Activation Dedicated counters/index instead of ListHint ‐ >Blink • FrontEndHeapUsageData[] (See paper) • 2. Front ‐ End Allocation FreeEntryOffset removed • Non ‐ deterministic allocations • 3. Fast Fail RtlpLowFragHeapAllocFromZone() implements fast fail • Also additional checking compared to Windows 7 – 4. Guard Pages 5. Arbitrary Free Mitigation 6. Exception Handling Removal Windows 8 Heap Internals

  16. Windows 7 Front ‐ End Windows 8 Heap Internals

  17. Windows 7 Front ‐ End Allocation 0 Windows 8 Heap Internals

  18. Windows 7 Front ‐ End Allocation I Windows 8 Heap Internals

  19. Windows 7 Front ‐ End Allocation II Windows 8 Heap Internals

  20. Windows 7 Front ‐ End Allocation III Windows 8 Heap Internals

  21. Windows 8 Front ‐ End Windows 8 Heap Internals

  22. Windows 8 Randomization • RtlpLowFragHeapRandomData initialized from RtlpCreateLowFragHeap and SlotIndex is updated on _HEAP_SUBSEGMENT creation [ RtlpSubSegmentInitialize ()] RtlpInitializeLfhRandomDataArray() { int RandIndex = 0; do { //ensure that all bytes are unsigned int newrand1 = RtlpHeapGenerateRandomValue32() & 0x7F7F7F7F; int newrand2 = RtlpHeapGenerateRandomValue32() & 0x7F7F7F7F; RtlpLowFragHeapRandomData[RandIndex] = newrand1; RtlpLowFragHeapRandomData[RandIndex+1] = newrand2; RandIndex+=2; } while(RandIndex < 64) } Windows 8 Heap Internals

  23. Windows 8 Front ‐ End Allocation 0 Windows 8 Heap Internals

  24. Windows 8 Front ‐ End Allocation I Windows 8 Heap Internals

  25. Windows 8 Front ‐ End Allocation II Windows 8 Heap Internals

  26. Windows 8 Front ‐ End Allocation III Windows 8 Heap Internals

  27. Win 7 vs Win 8 Allocation • Windows 7 – Will sequentially allocate chunks from the UserBlock – No validation of FreeEntryOffset, hence it can be overwritten and used as an exploitation primitive • Windows 8 – Randomized array used to search a bitmap – Bitmap will select the chunk, update itself and use a different random location each time – Heap determinism goes down significantly – FreeEntryOffset no longer kept in user data, therefore FreeEntryOffset Overwrite technique has died  Windows 8 Heap Internals

  28. Windows 8 Front ‐ End Mitigation III • Fast Fail – INT 0x29 Interupt – Designed to ensure ‘fast failing’ • http://www.alex ‐ ionescu.com/?p=69 – Search “CD 29” (x86) and find instances all over ntdll.dll – Only one assertion in the LFH, otherwise use the RtlpLogHeapFailure () function and rely upon HeapTerminateOnCorruption flag Windows 8 Heap Internals

  29. Windows 8 Front ‐ End Mitigation III • Bad News: Windows 8 checks LFH ‐ >SubSegmentZones _HEAP_SUBSEGMENT *RtlpLowFragHeapAllocateFromZone(_LFH_HEAP *LFH, int AffinityIndex) { . . . _LIST_ENTRY *subseg_zones = &LFH ‐ >SubSegmentZones; if(LFH ‐ >SubSegmentZones ‐ >Flink ‐ >Blink != subseg_zones || LFH ‐ >SubSegmentZones ‐ >Blink ‐ >Flink != subseg_zones) __asm{int 29}; } • Good News: Windows 7 has less strict checks Potential for write ‐ 4 primitive  – Windows 8 Heap Internals

  30. Windows Front ‐ End Mitigation IV • Guard Pages were added between _HEAP_USERDATA_HEADER objects to foil overwrites and heap spraying • Therefore, an overflow will need to exist in the same UserBlock, potentially guarding other UserBlock containrs. • After a certain amount of chunks exist for a certain size a guard page will be added for subsequent UserBlock creations • If page_shift == 0x12 || total_blocks >= 0x400 – Add a guard page to the allocation Windows 8 Heap Internals

  31. Windows Front ‐ End Mitigation IV RtlpLowFragHeapAllocFromContext() { . . //determine if we should use a guard page set_guard = false; //The total amount of chunks available for a _HEAP_SUBSEGMENT int total_block = HeapLocalSegInfo ‐ >Counters.TotalBlocks; if(total_blocks > 0x400) total_blocks = 0x400; //there are other operations here, left out for brevity int page_shift = 7; int req_size = total_blocks * RtlpBucketBlockSizes[HeapBucket ‐ >SizeIndex] + 8; req_size = req_size + Round32(total_blocks) + 0x24; do page_shift++; while(req_size >> page_shift); if(page_shift == 0x12 || total_blocks >= 0x400) set_guard = true; //will allocate memory for the UserBlocks and add a guard page if necessary RtlpAllocateUserBlock(LFH, page_shift, BucketByteSize, set_guard); . . } Windows 8 Heap Internals

  32. Windows Front ‐ End Mitigation IV RtlpAllocateUserBlock calls RtlpAllocateUserBlockFromHeap RtlpAllocateUserBlockFromHeap(_HEAP *heap, int size, bool set_guard) { . . _HEAP_USERDATA_HEADER *user_block = RtlAllocateHeap(heap, 0x800001, size ‐ 8); if(set_guard) { int page_size = 0x1000; //get the page aligned address then caluculate the size //plus one page (0x1000) int page_end_addr = (user_block + (size ‐ 8) + 0xFFF) & 0xFFFFF000; int new_size = page_end_addr ‐ user_block + page_size; //reallocate with an additional page of memory appended user_block = RtlReAllocateHeap(heap, 0x800001, user_block, new_size); //make the last page of this memory PAGE_NOACCESS ZwProtectVirtualMemory( ‐ 1, &new_size, &page_size, PAGE_NOACCESS, &output); user_block ‐ >GuardPagePresent = true; } return user_block; } Windows 8 Heap Internals

  33. Windows Front ‐ End Mitigation IV Windows 8 Heap Internals

Recommend

Roadmap for Section 4.3. Windows Process and Thread Internals Thread Block, Process Block Flow

Roadmap for Section 4.3. Windows Process and Thread Internals Thread Block, Process Block Flow

Unit OS4: Scheduling and Dispatch 4.3. Windows Process and Thread Internals Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 4.3. Windows Process and Thread Internals Thread

438 views • 15 slides
GHC heap internals Nikita Frolov &lt; frolov@chalmers.se &gt; (courtesy of Bob Ippolito,

GHC heap internals Nikita Frolov &lt; frolov@chalmers.se &gt; (courtesy of Bob Ippolito,

GHC heap internals Nikita Frolov &lt; frolov@chalmers.se &gt; (courtesy of Bob Ippolito, http://bob.ippoli.to/haskell-for-erlangers-2014/) GHC RTS https://ghc.haskell.org/trac/ghc/wiki/Commentary/Rts scheduler garbage collector

448 views • 14 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
Roadmap for Section A.1 General Concepts - Windows Networking Domains &amp; Active Directory The

Roadmap for Section A.1 General Concepts - Windows Networking Domains &amp; Active Directory The

Unit OS A: Windows Networking A.1. Networking Components in Windows Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section A.1 General Concepts - Windows Networking Domains &amp;

443 views • 28 slides
Roadmap for Section 2.3. Environment Subsystems System Service Dispatching Windows on Windows -

Roadmap for Section 2.3. Environment Subsystems System Service Dispatching Windows on Windows -

Unit OS2: Operating System Principles 2.3. Windows on Windows - OS Personalities Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 2.3. Environment Subsystems System

678 views • 20 slides
ADVANCED HEAP MANIPULATION IN WINDOWS 8 Who Am I Zhenhua(Eric) Liu Senior Security Researcher

ADVANCED HEAP MANIPULATION IN WINDOWS 8 Who Am I Zhenhua(Eric) Liu Senior Security Researcher

ADVANCED HEAP MANIPULATION IN WINDOWS 8 Who Am I Zhenhua(Eric) Liu Senior Security Researcher Fortinet, Inc. Previous: Dissecting Adobe ReaderXs Sandbox: Breeding Sandworms@BlackHat EU 2012 Agenda 0x01: Why start this research 0x02:

1.13k views • 102 slides
Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Roadmap for Section 7.2. Windows Security Features Components of the Security System Windows

Unit OS7: Security 7.2. Windows Security Components and Concepts Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 7.2. Windows Security Features Components of the Security

453 views • 14 slides
Roadmap for Section 9.3 Windows XP Embedded Design Goals Development Tool Support OS

Roadmap for Section 9.3 Windows XP Embedded Design Goals Development Tool Support OS

Unit OS9: Real-Time and Embedded Systems 9.3. Embedded Systems with Windows XP Embedded Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 9.3 Windows XP Embedded Design Goals

336 views • 15 slides
PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low

ERIE COUNTY DEPARTMENT OF SOCIAL SERVICES Program Overview PROGRAM HEAP 2020-2021 WHAT IS HEAP? HEAP is a federally funded program that assists low income households to reduce energy expense s. HEAP PROGRAMS Regular HEAP Available

531 views • 14 slides
Roadmap for Section 9.2 Windows NT/2000/XP/2003 real-time behavior Windows NT/2000/XP/2003 I/O

Roadmap for Section 9.2 Windows NT/2000/XP/2003 real-time behavior Windows NT/2000/XP/2003 I/O

Unit OS9: Real-Time and Embedded Systems 9.2. Real-Time Systems with Windows Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 9.2 Windows NT/2000/XP/2003 real-time behavior

606 views • 24 slides
Roadmap for Section 11.2 Windows Boot Process Shutdown Causes for Crashes Recovery Console and

Roadmap for Section 11.2 Windows Boot Process Shutdown Causes for Crashes Recovery Console and

Unit OS11: Performance Evaluation 11.2. Boot/Startup Troubleshooting Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 11.2 Windows Boot Process Shutdown Causes for Crashes

706 views • 28 slides
Roadmap for Section C.1 Windows Services for UNIX 3.5 NFS client/server Lightweight Directory

Roadmap for Section C.1 Windows Services for UNIX 3.5 NFS client/server Lightweight Directory

Unit OS C: Interoperability C.1. File and Command Interoperability Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section C.1 Windows Services for UNIX 3.5 NFS client/server

381 views • 17 slides
Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A)

Heapsort Build-Max-Heap Next we build a full heap from an unsorted sequence Build-Max-Heap(A) for i = floor( A.length/2 ) to 1 Max-Heapify(A, i) Build-Max-Heap Red part is already Heapified Build-Max-Heap Correctness: Base: Each alone

429 views • 23 slides
Roadmap for Section 1.3. High-level Overview on Windows Concepts Processes, Threads Virtual

Roadmap for Section 1.3. High-level Overview on Windows Concepts Processes, Threads Virtual

Unit OS1: Overview of Operating Systems 1.3. Windows Operating System Family - Concepts &amp; Tools Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 1.3. High-level

662 views • 17 slides
Roadmap for Section A.2 General Concepts - Berkeley Sockets Creating a socket Binding an address

Roadmap for Section A.2 General Concepts - Berkeley Sockets Creating a socket Binding an address

Unit OS A: Windows Networking A.2. Windows Sockets Programming Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section A.2 General Concepts - Berkeley Sockets Creating a socket

140 views • 12 slides
Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Windows File System Efficiency and Stability of a file system are contradicting requirements. How

Unit OS8: File System 8.6. Quiz Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Windows File System Efficiency and Stability of a file system are contradicting requirements. How can the

279 views • 11 slides
Roadmap for Section 8.2 File Systems supported by Windows NTFS Design Goals File System Driver

Roadmap for Section 8.2 File Systems supported by Windows NTFS Design Goals File System Driver

Unit OS8: File System 8.2. Windows File Systems Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 8.2 File Systems supported by Windows NTFS Design Goals File System Driver

496 views • 34 slides
Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The

Chapter 19: Binomial Heaps We will study another heap structure called, the binomial heap. The binomial heap allows for efficient union, which can not be done efficiently in the binary heap. The extra cost paid is the minimum operation, which

560 views • 24 slides
Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz &quot;j00ru&quot; Jurczyk @

Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz &quot;j00ru&quot; Jurczyk @

Windows Kernel Reference Count Vulnerabilities - Case Study Mateusz &quot;j00ru&quot; Jurczyk @ ZeroNights E.0x02 November 2012 PS C:\Users\j00ru&gt; whoami nt authority\system Microsoft Windows internals fanboy Also into reverse

976 views • 80 slides
When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's

When Testing in Production is a Good Idea Dan Robinson CTO, Heap whoami Joined as Heap's first hire in July, 2013. Previously an engineer at Palantir. Studied Math &amp; CS at Stanford. What we'll talk about: 1. What is Heap? 2.

695 views • 47 slides
heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O (

heaps and heapsort on n elements height of a heap is in (log n ) building a heap bottum-up in O ( n ) analysis via picture (learn) or using summations (know result) data structures and algorithms building a heap one-by-one in O ( n log n ) 2020

672 views • 7 slides
Roadmap for Section 6.2 I/O System Components Functions of the I/O Manager Control flow for an

Roadmap for Section 6.2 I/O System Components Functions of the I/O Manager Control flow for an

Unit OS6: Device Management 6.2. The Windows I/O System Components Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 6.2 I/O System Components Functions of the I/O Manager

330 views • 14 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides

More recommend