Explore the evolution of heap exploitation mitigations from Windows 7 to Windows 8 in this Black Hat USA 2012 conference talk. Delve into the intricate workings of the Windows memory manager, covering allocation processes, deallocation mechanisms, and newly implemented heap-related security features in Windows 8. Gain insights into achieving high levels of heap determinism through expert tips and tricks. Examine both user-land and kernel-land perspectives, analyzing front-end and back-end mitigations, randomization techniques, and various attack vectors. Learn about specific topics such as UserBlocks, Bitmap Flipping 2.0, Pool Types, NX Pool Descriptors, and Safe Unlinking in Windows 8. Understand the implications of these changes for both user-land and kernel-land exploitation techniques.
Overview
Syllabus
Intro
Windows 8 Back-end (cont.)
Back-end Mitigation II
Windows 8 Randomization
Windows 8 Front-End Allocation III UserBlocks
Win 7 vs Win 8 Allocation
Windows 8 Front-End Mitigation III
Windows Front-End Mitigation IV
Bitmap Flipping 2.0
_HEAP_USERDATA_HEADER Attack
Pool Types
Pool Header
Windows 8 Kernel Pool
NX Pool Descriptor
Kernel Pool Cookie
Windows 8 Pool Cookie Initialization
Boot Entropy
Process Pointer Attack
Process Pointer Encoding
Lookaside Pointer Attacks
Lookaside Pointer Encoding
Cache Aligned Allocations
Cache Aligned Allocation Cookie
Safe Unlinking
Safe (Un)linking in Windows 8
Poolindex Attack
Summary
Block Size Attacks
BlockSize/Previous Size
BlockSize Attack Steps
Split Chunk Pool Allocation
Split Fragment Attack Steps
Determinism
User Land Closing Notes
Kernel Pool Closing Notes
Taught by
Black Hat
