Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

Size: px

Start display at page:

Download "Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago"

Vanessa Richards
6 years ago
Views:

1 Lecture 07 Heap control data Stephen Checkoway University of Illinois at Chicago

Layout of program memory Heap is managed by malloc - Many different malloc implementations - glibc uses a modified version of Doug Lea s Malloc (dlmalloc) Responsibilities -

2 Layout of program memory Heap is managed by malloc - Many different malloc implementations - glibc uses a modified version of Doug Lea s Malloc (dlmalloc) Responsibilities - Requesting pages of memory from the OS - Managing free chunks of memory - Allocating memory for the program Image source:

3 Chunks Basic unit of memory managed by malloc prev_: of the previous chunk in memory : of this chunk - lsb is 1 if the previous chunk is in use (PREV_IN_USE bit) : forward pointer in free list : backward pointer in free list struct malloc_chunk { _t prev_; _t ; struct malloc_chunk *; struct malloc_chunk *; }

4 Free chunks/free lists A chunk can be allocated or free Free chunks are stored in doubly-linked lists using the and pointers prev_ refers to the of the previous chunk adjacent to the current chunk, not the chunk pointed to by the pointer malloc maintains several different free lists for chunks of various s

5 Example (lie, truth shortly) prev_ xx 801 unallocated space

6 Example (lie, truth shortly) prev_ xx 801 unallocated space void *p = malloc(100); prev_ prev_ xx 117 NULL NULL 100-byte user data unallocated space p

7 Example (lie, truth shortly) prev_ xx 801 unallocated space void *p = malloc(100); prev_ prev_ xx 117 NULL NULL 100-byte user data unallocated space p void *q = malloc(300); prev_ prev_ prev_ xx 117 NULL NULL 100-byte user data NULL NULL 300-byte user data p q

8 Freeing chunks When freeing a chunk c, malloc looks at the chunk just before and the chunk just after c to see if they are free The adjacent free chunks are - removed from their free lists - combined with c to form a new, larger chunk c c (or c if neither neighbor were free) is added to a free list Malloc uses the prev_ and fields plus some pointer arithmetic to find the preceding and following chunks Malloc uses the lsb of the fields to determine if the previous chunks are in use or free

9 Optimization and are only used when the chunk is free prev_ is only used when the previous chunk is free (to combine struct malloc_chunk { _t prev_; _t ; struct malloc_chunk *; with the current chunk) Malloc saves space by overlapping these fields with user data } struct malloc_chunk *;

10 Optimization and are only used when the chunk is free prev_ is only used when the previous chunk is free (to combine struct malloc_chunk { _t prev_; _t ; struct malloc_chunk *; with the current chunk) Malloc saves space by overlapping these fields with user data } struct malloc_chunk *; prev_ prev_ xx 117 NULL NULL 100-byte user data unallocated space p

11 Optimization and are only used when the chunk is free prev_ is only used when the previous chunk is free (to combine struct malloc_chunk { _t prev_; _t ; struct malloc_chunk *; with the current chunk) Malloc saves space by overlapping these fields with user data } struct malloc_chunk *; prev_ prev_ xx 117 NULL NULL 100-byte user data unallocated space p byte user data 697 unallocated space p

12 Example (truth but not to scale) 801 unallocated space

13 Example (truth but not to scale) 801 unallocated space void *p = malloc(100);

14 Example (truth but not to scale) 801 unallocated space void *p = malloc(100); byte user data 697 unallocated space p

15 Example (truth but not to scale) 801 unallocated space void *p = malloc(100); byte user data 697 unallocated space p void *q = malloc(300);

16 Example (truth but not to scale) 801 unallocated space void *p = malloc(100); byte user data 697 unallocated space p void *q = malloc(300); byte user data byte user data 393 unallocated space p q

17 Example continued byte user data byte user data 393 unallocated space p q

18 Example continued byte user data byte user data 393 unallocated space p free(p); q

19 Example continued byte user data byte user data 393 unallocated space p free(p); q prev_ 105 u-s byte user data 393 unallocated space q

20 Example continued byte user data byte user data 393 unallocated space p free(p); q prev_ 105 u-s byte user data 393 unallocated space q void *r = malloc(252);

21 Example continued byte user data byte user data 393 unallocated space p free(p); q prev_ 105 u-s byte user data 393 unallocated space q void *r = malloc(252); prev_ 105 u-s byte user data byte user data 137 q r

22 Example continued prev_ 105 u-s byte user data byte user data 137 q r

23 Example continued prev_ 105 u-s byte user data byte user data 137 free(q); q r

24 Example continued prev_ 105 u-s byte user data byte user data 137 free(q); q r prev_ 409 unallocated space byte user data 137 r

25 Example continued prev_ 105 u-s byte user data byte user data 137 free(q); q r prev_ 409 unallocated space byte user data 137 r free(r);

26 Example continued prev_ 105 u-s byte user data byte user data 137 free(q); q r prev_ 409 unallocated space byte user data 137 r free(r); 801 unallocated space

27 Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; P

28 Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; BK P

29 Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; BK P FD

30 Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; BK P FD

31 Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; BK P FD

32 Overwriting heap metadata The chunk metadata is inline (meaning the user data and the metadata are side-by-side) We can modify the metadata with a buffer overflow on the heap Consider char *x = malloc(100); void *y = malloc(100); strcpy(x, attacker_controlled); free(y); x y We can overflow x and overwrite y s metadata

33 Attacking malloc x y When free(y) is called, it will examine x s chunk to see if it is free. If x s chunk is free, then unlink will be called on it to remove it from its free list We can carefully structure the attacker-controlled data to - convince free that x s chunk is free (how do we do this?) - convince the unlink macro to overwrite a saved instruction pointer on the stack by setting x s chunk s and pointers - inject shellcode When the function returns, our shellcode runs!

34 Attacking malloc prev_ x y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used

35 Attacking malloc prev_ x y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used 2. Set y s chunk s prev_ to 104 so free looks back 104 bytes to find the start of the chunk to unlink

36 Attacking malloc prev_ P x y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used 2. Set y s chunk s prev_ to 104 so free looks back 104 bytes to find the start of the chunk to unlink 3. P in the unlink macro is x s chunk, so its and pointers need to be valid

37 Attacking malloc prev_ P x seip-12 y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used 2. Set y s chunk s prev_ to 104 so free looks back 104 bytes to find the start of the chunk to unlink 3. P in the unlink macro is x s chunk, so its and pointers need to be valid 4. Point P-> to saved eip (seip) - 12

38 Attacking malloc prev_ 105 jmp shellcode P x seip-12 y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used 2. Set y s chunk s prev_ to 104 so free looks back 104 bytes to find the start of the chunk to unlink 3. P in the unlink macro is x s chunk, so its and pointers need to be valid 4. Point P-> to saved eip (seip) Point P-> to a short jump to shellcode

39 Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD;

40 Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x BK Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD;

41 Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x BK Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ FD BK-> = FD;

42 Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x BK Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ FD BK-> = FD;

43 Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x BK Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ FD BK-> = FD;

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

Heap Off by 1 Overflow Illustrated Eric Conrad October 2007 1 The Attack Older CVS versions are vulnerable to an Off by 1 attack, where an attacker may insert one additional character into the heap CVS