Exploiting the Jemalloc Memory Allocator - Owning Firefox's Heap
Offered By: Black Hat via YouTube
Course Description
Overview
Explore the intricacies of exploiting the jemalloc memory allocator in this Black Hat USA 2012 conference talk. Delve into the architecture and internal concepts of jemalloc, a high-performance heap manager used in Mozilla Firefox, FreeBSD, NetBSD, and various Facebook components. Discover novel exploitation approaches and primitives for attacking jemalloc heap corruption vulnerabilities, with a focus on Mozilla Firefox as a case study. Learn about jemalloc's design, including chunks, runs, regions, and bins, as well as its allocation algorithm. Examine exploitation techniques such as adjacent memory overwrite and run header corruption, and gain insights into Firefox heap manipulation using CVE-2011-3026 as an example. Benefit from the speakers' jemalloc debugging tool belt, released to aid further research in this area.
Syllabus
Intro
Outline
jemalloc flavors... yummy
SMP systems & multithreaded applications
jemalloc overview
Central concepts
jemalloc basic design
Chunks (arena_chunk_t)
Runs (arena_run_t)
Regions
Region size classes
Bins (arena bin_t)
Architecture of jemalloc
Allocation algorithm
No unlinking, no frontlinking
Exploitation techniques
Adjacent memory overwrite
Run header corruption
OS X and gdb/Python
unmask_jemalloc
Firefox heap manipulation
CVE-2011-3026
The vulnerability
Mitigations
Redzone
Concluding remarks
Acknowledgements
References
Taught by
Black Hat
Related Courses
Computer SecurityStanford University via Coursera Cryptography II
Stanford University via Coursera Malicious Software and its Underground Economy: Two Sides to Every Story
University of London International Programmes via Coursera Building an Information Risk Management Toolkit
University of Washington via Coursera Introduction to Cybersecurity
National Cybersecurity Institute at Excelsior College via Canvas Network