YoVDO

Heap Layout Optimisation for Exploitation

Offered By: Black Hat via YouTube

Tags

Black Hat Courses Cybersecurity Courses Experimental Design Courses Noise Reduction Courses Fuzzing Courses Vulnerability Research Courses

Course Description

Overview

Explore an automatic, blackbox approach to heap layout optimisation for exploitation in this Black Hat conference talk. Delve into the algorithm that utilizes pseudo-random search over allocator interactions triggered via target applications. Learn about constructing primitives, physical heap layout optimisation, problem settings and restrictions, challenges in heap allocation mechanisms and policies, and the algorithmic approach to solving these issues. Examine the experimental setup, including noise considerations and results summary. Discover techniques for automatic HLO in real programs, including identifying interaction sequences, synthesizing PHP fragments, and fuzzing for allocator interactions. Investigate fragmentation, black box random search for PHP, and methods for finding interesting corruption targets. Gain insights into vulnerability templates, architecture, and vulnerability-targeted corruption. Conclude with an evaluation of the presented techniques and key takeaways for implementing this approach in exploitation scenarios.

Syllabus

Intro
Constructing Primitives
Reality ...
Physical Heap Layout Optimisation (HLO)
Problem Setting & Restrictions
To Solve
Challenges
Heap Allocation Mechanisms and Policies
An Algorithmic Approach
Design Considerations
Experimental Setup
Noise
Experiments
Experimental Summary
Automatic HLO for Real Programs
Why a 'Skeleton'?
Identifying Available Interaction Sequences
Synthesising PHP Fragments
Fuzzing for Allocator Interactions
Fragmentation
Black Box Random Search for PHP
Finding Interesting Corruption Targets
Vulnerability Templates
Architecture
Vulnerability - Targeted Corruption
Evaluation
Takeaways


Taught by

Black Hat

Related Courses

Attack on Titan M, Reloaded - Vulnerability Research on a Modern Security Chip
Black Hat via YouTube
Attacks From a New Front Door in 4G & 5G Mobile Networks
Black Hat via YouTube
AAD Joined Machines - The New Lateral Movement
Black Hat via YouTube
Better Privacy Through Offense - How to Build a Privacy Red Team
Black Hat via YouTube
Whip the Whisperer - Simulating Side Channel Leakage
Black Hat via YouTube