iOS Kernel Heap Armageddon

More documents

Recommendations

Info

Zone Page Allocation Distribution (across reboots) after 11800 allocations Stefan Esser • iOS Kernel Heap Armageddon • April 2012 • 58
Zone Page Allocation Distribution • accross 25 reboots there was a single common page among all the allocations • the 26th reboot made it go away • because of the randomness adjacent memory pages are very unlikely • it is not possible to say anything about the relative position of pages • overflowing out of a page will most likely crash Stefan Esser • iOS Kernel Heap Armageddon • April 2012 • 59
Page 1 and 2:
iOS Kernel Heap Armageddon Stefan E
Page 3 and 4:
Recap... • public iOS kernel heap
Page 5 and 6:
Part I Zone Allocator Recap Stefan
Page 7 and 8: iOS Kernel Zone Allocator 101 • k
Page 9 and 10: iOS Kernel Zone Allocator 101 • z
Page 11 and 12: iOS Kernel Zone Allocator 101 • w
Page 13 and 14: Part II Other Heap Managers and Wra
Page 15 and 16: Let‘s have a look at kalloc() Ste
Page 17 and 18: iOS 5 - kalloc() Zones $ zprint kal
Page 19 and 20: Let‘s have a look at _MALLOC() St
Page 21 and 22: _MALLOC() in iOS 4.x void *_MALLOC(
Page 23 and 24: Overwriting _MALLOC()ed Data • ch
Page 25 and 26: kern_os_malloc() • kern_os_malloc
Page 27 and 28: and kernel_memory_allocate ??? Stef
Page 29 and 30: Part III Cross Zone or Cross Memory
Page 31 and 32: Visualization of Zone Page Allocati
Page 57: Zone Page Allocation Distribution
Page 61 and 62: Part IV Kernel Heap Application Dat
Page 63 and 64: iOS Kernel C++ Base Objects Stefan
Page 65 and 66: OSObject Retain Count • reference
Page 67 and 68: OSString Memory Layout and Overwrit
Page 69 and 70: Part V “Generic“ Technique to c
Page 71 and 72: Heap Spraying • allocate repeated
Page 73 and 74: Once Technique to rule them all...
Page 75 and 76: How does the parser work? (I) • p
Page 77 and 78: How does the parser work? (III) •
Page 79 and 80: How does the parser work? (V) • k
Page 81 and 82: How does the parser work? (VII) •
Page 83 and 84: Memory Sizes Cheat Sheet OSArray OS
Page 85 and 86: Allocate Repeatedly • there is no
Page 87 and 88: Allocate Attacker Controlled Data
Page 89 and 90: Heap Feng Shui / Heap Massage / ...
Page 95: Questions ? Stefan Esser • iOS Ke
show all

iOS Kernel Heap Armageddon

Create successful ePaper yourself

Delete template?

Save as template?