Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Exploiting the Jemalloc Memory Allocator - Owning Firefox's Heap

Black Hat via YouTube

Overview

Explore the intricacies of exploiting the jemalloc memory allocator in this Black Hat USA 2012 conference talk. Delve into the architecture and internal concepts of jemalloc, a high-performance heap manager used in Mozilla Firefox, FreeBSD, NetBSD, and various Facebook components. Discover novel exploitation approaches and primitives for attacking jemalloc heap corruption vulnerabilities, with a focus on Mozilla Firefox as a case study. Learn about jemalloc's design, including chunks, runs, regions, and bins, as well as its allocation algorithm. Examine exploitation techniques such as adjacent memory overwrite and run header corruption, and gain insights into Firefox heap manipulation using CVE-2011-3026 as an example. Benefit from the speakers' jemalloc debugging tool belt, released to aid further research in this area.

Syllabus

Intro
Outline
jemalloc flavors... yummy
SMP systems & multithreaded applications
jemalloc overview
Central concepts
jemalloc basic design
Chunks (arena_chunk_t)
Runs (arena_run_t)
Regions
Region size classes
Bins (arena bin_t)
Architecture of jemalloc
Allocation algorithm
No unlinking, no frontlinking
Exploitation techniques
Adjacent memory overwrite
Run header corruption
OS X and gdb/Python
unmask_jemalloc
Firefox heap manipulation
CVE-2011-3026
The vulnerability
Mitigations
Redzone
Concluding remarks
Acknowledgements
References

Taught by

Black Hat

Reviews

Start your review of Exploiting the Jemalloc Memory Allocator - Owning Firefox's Heap

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.