Overview
Explore the intricacies of exploiting the jemalloc memory allocator in this Black Hat USA 2012 conference talk. Delve into the architecture and internal concepts of jemalloc, a high-performance heap manager used in Mozilla Firefox, FreeBSD, NetBSD, and various Facebook components. Discover novel exploitation approaches and primitives for attacking jemalloc heap corruption vulnerabilities, with a focus on Mozilla Firefox as a case study. Learn about jemalloc's design, including chunks, runs, regions, and bins, as well as its allocation algorithm. Examine exploitation techniques such as adjacent memory overwrite and run header corruption, and gain insights into Firefox heap manipulation using CVE-2011-3026 as an example. Benefit from the speakers' jemalloc debugging tool belt, released to aid further research in this area.
Syllabus
Intro
Outline
jemalloc flavors... yummy
SMP systems & multithreaded applications
jemalloc overview
Central concepts
jemalloc basic design
Chunks (arena_chunk_t)
Runs (arena_run_t)
Regions
Region size classes
Bins (arena bin_t)
Architecture of jemalloc
Allocation algorithm
No unlinking, no frontlinking
Exploitation techniques
Adjacent memory overwrite
Run header corruption
OS X and gdb/Python
unmask_jemalloc
Firefox heap manipulation
CVE-2011-3026
The vulnerability
Mitigations
Redzone
Concluding remarks
Acknowledgements
References
Taught by
Black Hat