iOS Kernel Heap Armageddon - Hakim

More documents

Recommendations

Info

How does the parser work? (VII) • string parser object is then converted to an internal OSString object • new operator will allocate 20 bytes for OSString object via kalloc() • OSString contructor will create a copy of the string with kalloc() • string in parser key object will be freed with kern_os_free() Allocations so far: // Dict kern_os_alloc(44) = kalloc(44+4) // Key kern_os_alloc(7+1) = kalloc(7+1+4) kern_os_alloc(44) = kalloc(44+4) kalloc(20) kalloc(7+1) kern_os_free(x, 7+1) = kfree(x, 7+1+4) // Value kern_os_alloc(31+1) = kalloc(31+1+4) kern_os_alloc(44) = kalloc(44+4) kalloc(20) kalloc(31+1) kern_os_free(x, 31+1) = kfree(x, 31+1+4) Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 84
How does the parser work? (VIII) • once all elements are created the closing tag will create the dict • the parser objects will be kept in a freelist and reused for further parsing // Dict kern_os_alloc(44) = kalloc(44+4) // Boolean Value kern_os_alloc(44) = kalloc(44+4) // Key “IsThere“ kern_os_alloc(7+1) = kalloc(7+1+4) kern_os_alloc(44) = kalloc(44+4) kalloc(20) kalloc(7+1) kern_os_free(x, 7+1) = kfree(x, 7+1+4) // Value kern_os_alloc(31+1) = kalloc(31+1+4) kern_os_alloc(44) = kalloc(44+4) kalloc(20) kalloc(31+1) kern_os_free(x, 31+1) = kfree(x, 31+1+4) // Key “Answer“ kern_os_alloc(6+1) = kalloc(6+1+4) kern_os_alloc(44) = kalloc(44+4) kalloc(20) kalloc(6+1) kern_os_free(x, 6+1) = kfree(x, 6+1+4) // Key “Audience“ kern_os_alloc(8+1) = kalloc(8+1+4) kern_os_alloc(44) = kalloc(44+4) kalloc(20) kalloc(8+1) kern_os_free(x, 8+1) = kfree(x, 8+1+4) // String Value kern_os_alloc(23+1) = kalloc(23+1+4) kern_os_alloc(44) = kalloc(44+4) kalloc(20) kalloc(23+1) kern_os_free(x, 23+1) = kfree(x, 23+1+4) // The Dict kalloc(36) kalloc(3*8) Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 85
Page 1 and 2:
http://www.sektioneins.de iOS Kerne
Page 3 and 4:
DISCLAIMER iOS 6 • is in beta =>
Page 5 and 6:
So what is this talk about? • zon
Page 7 and 8:
Some Kernel Zones $ zprint kalloc e
Page 9 and 10:
iOS Kernel Zone Allocator 101 • k
Page 11 and 12:
iOS Kernel Zone Allocator 101 • z
Page 13 and 14:
iOS Kernel Zone Allocator 101 • w
Page 15 and 16:
Exploiting the freelist in iOS 6
Page 17 and 18:
Overview Managers and Wrappers not
Page 19 and 20:
kalloc() • kalloc() is a wrapper
Page 21 and 22:
kfree() • kfree() is a bit specia
Page 23 and 24:
_MALLOC() • _MALLOC() is a wrappe
Page 25 and 26:
_MALLOC() in iOS 5.x void *_MALLOC(
Page 27 and 28:
What about kern_os_malloc(), new an
Page 29 and 30:
mcache / slab could and might fill
Page 31 and 32:
kernel_memory_allocate • “maste
Page 33 and 34: Cross Zone Attacks • what is the
Page 35 and 36: Visualization of Zone Page Allocati
Page 61 and 62: Zone Page Allocation Distribution (
Page 63 and 64: Cross Memory Allocator Attacks •
Page 65 and 66: iOS Kernel C++ • iOS kernel‘s l
Page 67 and 68: OSObject Memory Layout 0x00 0x04 vt
Page 69 and 70: Overwriting an OSObject in Memory
Page 71 and 72: OSArray Memory Layout and Overwriti
Page 73 and 74: “Generic“ Technique to control
Page 75 and 76: Heap Feng Shui / Heap Massage / ...
Page 77 and 78: OSUnserializeXML() • deserializat
Page 79 and 80: How does the parser work? (II) •
Page 81 and 82: How does the parser work? (IV) •
Page 83: How does the parser work? (VI) •
Page 87 and 88: Heap Spraying (Remember?) • alloc
Page 89 and 90: Heap Spraying • allocate repeated
Page 91 and 92: Heap Spraying • allocate repeated
Page 93 and 94: Fill Arbitrary Sized Memory Blocks
Page 95 and 96: Poking Holes into Allocated Data
Page 97 and 98: Extra: Keeping Data Allocated • s
show all

iOS Kernel Heap Armageddon - Hakim

Create successful ePaper yourself

Delete template?

Save as template?