Heap Layout Optimisation for Exploitation

Explore an automatic, blackbox approach to heap layout optimisation for exploitation in this Black Hat conference talk. Delve into the algorithm that utilizes pseudo-random search over allocator interactions triggered via target applications. Learn about constructing primitives, physical heap layout optimisation, problem settings and restrictions, challenges in heap allocation mechanisms and policies, and the algorithmic approach to solving these issues. Examine the experimental setup, including noise considerations and results summary. Discover techniques for automatic HLO in real programs, including identifying interaction sequences, synthesizing PHP fragments, and fuzzing for allocator interactions. Investigate fragmentation, black box random search for PHP, and methods for finding interesting corruption targets. Gain insights into vulnerability templates, architecture, and vulnerability-targeted corruption. Conclude with an evaluation of the presented techniques and key takeaways for implementing this approach in exploitation scenarios.

Intro
Constructing Primitives
Reality ...
Physical Heap Layout Optimisation (HLO)
Problem Setting & Restrictions
To Solve
Challenges
Heap Allocation Mechanisms and Policies
An Algorithmic Approach
Design Considerations
Experimental Setup
Noise
Experiments
Experimental Summary
Automatic HLO for Real Programs
Why a 'Skeleton'?
Identifying Available Interaction Sequences
Synthesising PHP Fragments
Fuzzing for Allocator Interactions
Fragmentation
Black Box Random Search for PHP
Finding Interesting Corruption Targets
Vulnerability Templates
Architecture
Vulnerability - Targeted Corruption
Evaluation
Takeaways