iOS Kernel Heap Armageddon

More documents

Recommendations

Info

Poking Holes into Allocated Data • deallocation of arbitrary sized memory is possible with • reusing the same dictionary key will delete the previously inserted value • in this example the middle value ZZZ...ZZZ is freed AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BBBB AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA CCCC ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ DDDD AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EEEE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA CCCC Stefan Esser • iOS Kernel Heap Armageddon • April 2012 • 92
Heap Feng Shui / Heap Massage / ... • allocate repeatedly ✔ • allocate arbitrary sized memory blocks ✔ • poke allocation holes in specific positions ✔ • control the memory layout ✔ • fill memory with interesting meta / application data ✔ Stefan Esser • iOS Kernel Heap Armageddon • April 2012 • 93
Page 1 and 2:
iOS Kernel Heap Armageddon Stefan E
Page 3 and 4:
Recap... • public iOS kernel heap
Page 5 and 6:
Part I Zone Allocator Recap Stefan
Page 7 and 8:
iOS Kernel Zone Allocator 101 • k
Page 9 and 10:
iOS Kernel Zone Allocator 101 • z
Page 11 and 12:
iOS Kernel Zone Allocator 101 • w
Page 13 and 14:
Part II Other Heap Managers and Wra
Page 15 and 16:
Let‘s have a look at kalloc() Ste
Page 17 and 18:
iOS 5 - kalloc() Zones $ zprint kal
Page 19 and 20:
Let‘s have a look at _MALLOC() St
Page 21 and 22:
_MALLOC() in iOS 4.x void *_MALLOC(
Page 23 and 24:
Overwriting _MALLOC()ed Data • ch
Page 25 and 26:
kern_os_malloc() • kern_os_malloc
Page 27 and 28:
and kernel_memory_allocate ??? Stef
Page 29 and 30:
Part III Cross Zone or Cross Memory
Page 31 and 32:
Visualization of Zone Page Allocati
Page 33 and 34:
Page 35 and 36:
Page 37 and 38:
Page 39 and 40:
Page 41 and 42: Visualization of Zone Page Allocati
Page 57 and 58: Zone Page Allocation Distribution
Page 59 and 60: Zone Page Allocation Distribution
Page 61 and 62: Part IV Kernel Heap Application Dat
Page 63 and 64: iOS Kernel C++ Base Objects Stefan
Page 65 and 66: OSObject Retain Count • reference
Page 67 and 68: OSString Memory Layout and Overwrit
Page 69 and 70: Part V “Generic“ Technique to c
Page 71 and 72: Heap Spraying • allocate repeated
Page 73 and 74: Once Technique to rule them all...
Page 75 and 76: How does the parser work? (I) • p
Page 77 and 78: How does the parser work? (III) •
Page 79 and 80: How does the parser work? (V) • k
Page 81 and 82: How does the parser work? (VII) •
Page 83 and 84: Memory Sizes Cheat Sheet OSArray OS
Page 85 and 86: Allocate Repeatedly • there is no
Page 87 and 88: Allocate Attacker Controlled Data
Page 89 and 90: Heap Feng Shui / Heap Massage / ...
Page 91: Heap Feng Shui / Heap Massage / ...
Page 95: Questions ? Stefan Esser • iOS Ke
show all

iOS Kernel Heap Armageddon

Create successful ePaper yourself

Delete template?

Save as template?