iOS Kernel Heap Armageddon

More documents

Recommendations

Info

How does the parser work? (VIII) • once all elements are created the closing tag will create the dict • the parser objects will be kept in a freelist and reused for further parsing // Dict kern_os_alloc(44) = kalloc(44+4) // Key “IsThere“ kern_os_alloc(7+1) = kalloc(7+1+4) kern_os_alloc(44) = kalloc(44+4) kalloc(20) kalloc(7+1) kern_os_free(x, 7+1) = kfree(x, 7+1+4) // Value kern_os_alloc(31+1) = kalloc(31+1+4) kern_os_alloc(44) = kalloc(44+4) kalloc(20) kalloc(31+1) kern_os_free(x, 31+1) = kfree(x, 31+1+4) // Key “Answer“ kern_os_alloc(6+1) = kalloc(6+1+4) kern_os_alloc(44) = kalloc(44+4) kalloc(20) kalloc(6+1) kern_os_free(x, 6+1) = kfree(x, 6+1+4) // Boolean Value kern_os_alloc(44) = kalloc(44+4) // Key “Audience“ kern_os_alloc(8+1) = kalloc(8+1+4) kern_os_alloc(44) = kalloc(44+4) kalloc(20) kalloc(8+1) kern_os_free(x, 8+1) = kfree(x, 8+1+4) // String Value kern_os_alloc(23+1) = kalloc(23+1+4) kern_os_alloc(44) = kalloc(44+4) kalloc(20) kalloc(23+1) kern_os_free(x, 23+1) = kfree(x, 23+1+4) // The Dict kalloc(36) kalloc(3*8) Stefan Esser • iOS Kernel Heap Armageddon • April 2012 • 82
Memory Sizes Cheat Sheet OSArray OSDictionary OSData OSSet OSNumber OSString OSBoolean in memory size kalloc zone size additional alloc 36 40 + capacity * 4 36 40 + capacity * 8 28 32 + capacity 24 24 + sizeof(OSArray) 24 24 20 24 + strlen + 1 12 16 Stefan Esser • iOS Kernel Heap Armageddon • April 2012 • cannot be generated by OSUnserializeXML() 83
Page 1 and 2:
iOS Kernel Heap Armageddon Stefan E
Page 3 and 4:
Recap... • public iOS kernel heap
Page 5 and 6:
Part I Zone Allocator Recap Stefan
Page 7 and 8:
iOS Kernel Zone Allocator 101 • k
Page 9 and 10:
iOS Kernel Zone Allocator 101 • z
Page 11 and 12:
iOS Kernel Zone Allocator 101 • w
Page 13 and 14:
Part II Other Heap Managers and Wra
Page 15 and 16:
Let‘s have a look at kalloc() Ste
Page 17 and 18:
iOS 5 - kalloc() Zones $ zprint kal
Page 19 and 20:
Let‘s have a look at _MALLOC() St
Page 21 and 22:
_MALLOC() in iOS 4.x void *_MALLOC(
Page 23 and 24:
Overwriting _MALLOC()ed Data • ch
Page 25 and 26:
kern_os_malloc() • kern_os_malloc
Page 27 and 28:
and kernel_memory_allocate ??? Stef
Page 29 and 30:
Part III Cross Zone or Cross Memory
Page 31 and 32: Visualization of Zone Page Allocati
Page 57 and 58: Zone Page Allocation Distribution
Page 59 and 60: Zone Page Allocation Distribution
Page 61 and 62: Part IV Kernel Heap Application Dat
Page 63 and 64: iOS Kernel C++ Base Objects Stefan
Page 65 and 66: OSObject Retain Count • reference
Page 67 and 68: OSString Memory Layout and Overwrit
Page 69 and 70: Part V “Generic“ Technique to c
Page 71 and 72: Heap Spraying • allocate repeated
Page 73 and 74: Once Technique to rule them all...
Page 75 and 76: How does the parser work? (I) • p
Page 77 and 78: How does the parser work? (III) •
Page 79 and 80: How does the parser work? (V) • k
Page 81: How does the parser work? (VII) •
Page 85 and 86: Allocate Repeatedly • there is no
Page 87 and 88: Allocate Attacker Controlled Data
Page 89 and 90: Heap Feng Shui / Heap Massage / ...
Page 95: Questions ? Stefan Esser • iOS Ke
show all

iOS Kernel Heap Armageddon

Create successful ePaper yourself

Delete template?

Save as template?