Explore the internals of Windows 10 Segment Heap in this 42-minute Black Hat conference talk by Mark Vincent Yason. Dive deep into the architecture, configuration, and security mechanisms of this native heap used in Windows app processes and Microsoft Edge. Learn about backend page range descriptors, variable size allocations, low fragmentation heap, and various security features like heap address randomization and guard pages. Gain insights into exploiting memory corruption vulnerabilities, demonstrated through a case study of the Microsoft WinRT PDF library (CVE-2016-0117). Understand the implications for reliable exploit development in Edge components and dependencies using Segment Heap.
Overview
Syllabus
Intro
Agenda: Windows 10 Segment Heap
Architecture
Configuration
Edge Content Process Heaps
Backend Page Range Descriptors Example
Backend Free Tree
Variable Size (VS) Allocation
VS Subsegment
VS Block Header
VS Free Tree
VS Allocation and Freeing
Low Fragmentation Heap (LFH)
LFH Buckets
LFH Affinity Slots
LFH Block Bitmap
LFH Allocation and Freeing
Internals: Summary
Heap Address Randomization
Guard Pages
Function Pointer Encoding
VS Block Sizes Encoding
LFH Allocation Randomization
WinRT PDF: PostScript Operand Stack
Free Blocks Coalescing
Case Study: Summary
Conclusion
Taught by
Black Hat
