iOS Kernel Heap Armageddon - Hakim

More documents

Recommendations

Info

iOS 5 - kalloc() Zones $ zprint kalloc elem cur max cur max cur alloc alloc zone name size size size #elts #elts inuse size count ------------------------------------------------------------------------------- kalloc.8 8 68K 91K 8704 11664 8187 4K 512 C kalloc.16 16 96K 121K 6144 7776 5479 4K 256 C kalloc.24 24 370K 410K 15810 17496 15567 4K 170 C kalloc.32 32 136K 192K 4352 6144 4087 4K 128 C kalloc.40 40 290K 360K 7446 9216 7224 4K 102 C kalloc.48 48 95K 192K 2040 4096 1475 4K 85 C kalloc.64 64 144K 256K 2304 4096 2017 4K 64 C kalloc.88 88 241K 352K 2806 4096 2268 4K 46 C kalloc.112 112 118K 448K 1080 4096 767 4K 36 C kalloc.128 128 176K 512K 1408 4096 1049 4K 32 C kalloc.192 192 102K 768K 546 4096 507 4K 21 C kalloc.256 256 196K • 1024K iOS 5 introduces 784 4096 new kalloc.* 740 zones 4K 16 C kalloc.384 384 596K 1536K that are 1590 not powers 4096 of 1421 2 4K 10 C kalloc.512 512 48K 512K 96 1024 46 4K 8 C kalloc.768 768 97K 768K 130 1024 115 4K 5 C kalloc.1024 1024 128K • 1024K smallest 128 zone is 1024 now for 880 byte long 4K 4 C kalloc.1536 1536 108K 1536K memory blocks 72 1024 59 12K 8 C kalloc.2048 2048 88K 2048K 44 1024 39 4K 2 C kalloc.3072 3072 672K • 3072K memory 224 block are 1024 aligned 59 to their 12K own 4 C kalloc.4096 4096 120K 4096K 30 1024 28 4K 1 C kalloc.6144 6144 420K 576K size their 70 size is a 96 power 38 of 2 12K 2 C kalloc.8192 8192 176K 32768K 22 4096 20 8K 1 C Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 20
kfree() • kfree() is a bit special • “protection“ against double frees • keeps track of largest allocated memory block • attempt to kfree() a larger block is a NOP Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 21
Page 1 and 2: http://www.sektioneins.de iOS Kerne
Page 3 and 4: DISCLAIMER iOS 6 • is in beta =>
Page 5 and 6: So what is this talk about? • zon
Page 7 and 8: Some Kernel Zones $ zprint kalloc e
Page 9 and 10: iOS Kernel Zone Allocator 101 • k
Page 11 and 12: iOS Kernel Zone Allocator 101 • z
Page 13 and 14: iOS Kernel Zone Allocator 101 • w
Page 15 and 16: Exploiting the freelist in iOS 6
Page 17 and 18: Overview Managers and Wrappers not
Page 19: kalloc() • kalloc() is a wrapper
Page 23 and 24: _MALLOC() • _MALLOC() is a wrappe
Page 25 and 26: _MALLOC() in iOS 5.x void *_MALLOC(
Page 27 and 28: What about kern_os_malloc(), new an
Page 29 and 30: mcache / slab could and might fill
Page 31 and 32: kernel_memory_allocate • “maste
Page 33 and 34: Cross Zone Attacks • what is the
Page 35 and 36: Visualization of Zone Page Allocati
Page 61 and 62: Zone Page Allocation Distribution (
Page 63 and 64: Cross Memory Allocator Attacks •
Page 65 and 66: iOS Kernel C++ • iOS kernel‘s l
Page 67 and 68: OSObject Memory Layout 0x00 0x04 vt
Page 69 and 70: Overwriting an OSObject in Memory
Page 71 and 72:
OSArray Memory Layout and Overwriti
Page 73 and 74:
“Generic“ Technique to control
Page 75 and 76:
Heap Feng Shui / Heap Massage / ...
Page 77 and 78:
OSUnserializeXML() • deserializat
Page 79 and 80:
How does the parser work? (II) •
Page 81 and 82:
How does the parser work? (IV) •
Page 83 and 84:
How does the parser work? (VI) •
Page 85 and 86:
How does the parser work? (VIII)
Page 87 and 88:
Heap Spraying (Remember?) • alloc
Page 89 and 90:
Heap Spraying • allocate repeated
Page 91 and 92:
Heap Spraying • allocate repeated
Page 93 and 94:
Fill Arbitrary Sized Memory Blocks
Page 95 and 96:
Poking Holes into Allocated Data
Page 97 and 98:
Extra: Keeping Data Allocated • s
show all

iOS Kernel Heap Armageddon - Hakim

Create successful ePaper yourself

Delete template?

Save as template?