iOS Kernel Heap Armageddon - Hakim

28.11.2014 Views
Heap Feng Shui / Heap Massage / ... • allocate repeatedly ✔ • allocate arbitrary sized memory blocks ✔ • poke allocation holes in specific positions • control the memory layout • fill memory with interesting meta / application data ✔ Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 94

Poking Holes into Allocated Data • deallocation of arbitrary sized memory is possible with • reusing the same dictionary key will delete the previously inserted value • in this example the middle value ZZZ...ZZZ is freed AAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA BBBB AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA CCCC ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ DDDD AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA EEEE AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA CCCC Stefan Esser • iOS Kernel Heap Armageddon REVISITED • July 2012 • 95

Page 1 and 2: http://www.sektioneins.de iOS Kerne

Page 3 and 4: DISCLAIMER iOS 6 • is in beta =>

Page 5 and 6: So what is this talk about? • zon

Page 7 and 8: Some Kernel Zones $ zprint kalloc e

Page 9 and 10: iOS Kernel Zone Allocator 101 • k

Page 11 and 12: iOS Kernel Zone Allocator 101 • z

Page 13 and 14: iOS Kernel Zone Allocator 101 • w

Page 15 and 16: Exploiting the freelist in iOS 6

Page 17 and 18: Overview Managers and Wrappers not

Page 19 and 20: kalloc() • kalloc() is a wrapper

Page 21 and 22: kfree() • kfree() is a bit specia

Page 23 and 24: _MALLOC() • _MALLOC() is a wrappe

Page 25 and 26: _MALLOC() in iOS 5.x void *_MALLOC(

Page 27 and 28: What about kern_os_malloc(), new an

Page 29 and 30: mcache / slab could and might fill

Page 31 and 32: kernel_memory_allocate • “maste

Page 33 and 34: Cross Zone Attacks • what is the

Page 35 and 36: Visualization of Zone Page Allocati













Page 61 and 62: Zone Page Allocation Distribution (

Page 63 and 64: Cross Memory Allocator Attacks •

Page 65 and 66: iOS Kernel C++ • iOS kernel‘s l

Page 67 and 68: OSObject Memory Layout 0x00 0x04 vt

Page 69 and 70: Overwriting an OSObject in Memory

Page 71 and 72: OSArray Memory Layout and Overwriti

Page 73 and 74: “Generic“ Technique to control

Page 75 and 76: Heap Feng Shui / Heap Massage / ...

Page 77 and 78: OSUnserializeXML() • deserializat

Page 79 and 80: How does the parser work? (II) •

Page 81 and 82: How does the parser work? (IV) •

Page 83 and 84: How does the parser work? (VI) •

Page 85 and 86: How does the parser work? (VIII)

Page 87 and 88: Heap Spraying (Remember?) • alloc

Page 89 and 90: Heap Spraying • allocate repeated

Page 91 and 92: Heap Spraying • allocate repeated

Page 93: Fill Arbitrary Sized Memory Blocks

Page 97 and 98: Extra: Keeping Data Allocated • s

kernel

heap

armageddon

esser

revisited

allocations

allocate

visualization

parser

allocator

hakim

hakim.ws

iOS Kernel Heap Armageddon - Hakim

iOS Kernel Heap Armageddon - Hakim ... View more iOS Kernel Heap Armageddon - Hakim

Delete template?

Save as template ?

iOS Kernel Heap Armageddon - Hakim iOS Kernel Heap Armageddon - Hakim