Heap-based exploitation is an active area of software vulnerability research. All known heap allocators have security problems, and most mitigations depend entirely on a randomizer. In this workshop we will cover the most recent breakthroughs in modern glibc heap exploitation on Linux, with an emphasis on underlying mathematical techniques for mitigation (focusing on address space layout randomization and safe linking) and mitigation bypass.
The workshop will focus on answering the following questions:
- What is a heap exploit?
- How might glibc’s
free()be subverted by an attacker during
- Real-world exploitation?
- What counts as state-of-the-art for glibc heap exploitation?
- How are mathematical techniques used for mitigation (e.g. safe linking) and mitigation bypass (e.g. ASLR defeats)?
Most of the workshop will be dedicated to understanding open-source proof-of-concept (POC) code. In the remaining time, we can also examine an open-source case study or discuss recent academic efforts to automate heap vulnerability discovery and exploitation. A GitHub repository containing annotated POCs, notes, and experimental environments (defined in Vagrantfiles) will be made available prior to the workshop.
CPT Lisa Jones is a member of the National Security Agency’s Applied Mathematics Program (AMP). She is currently touring in Cryptomathematics Research, where she pursues a mathematically grounded approach to software security auditing and tool development. Heap exploitation has been a particular focus of her tour, as work to systematize and automate heap exploitation is still nascent.
CPT Jones previously toured in Trust Mechanisms, applying software verification and testing techniques to investigate processor security. Previous assignments include technical lead for a CNMF special project and defensive capabilities engineer at the Defense Digital Service.
- Prior use of
free(), and an interest in the (in)security of their usage in modern applications.
- Familiarity with virtual memory layout of processes.
- Familiarity with basic exploitation concepts (e.g. stack-based buffer overflows and techniques for control flow hijacking).
- Comfort reading library and kernel code.