Understanding the Low- Fragmentation Heap: From Allocation to Exploitation

Black Hat USA 2010

Presented by: Christopher Valasek
Date: Thursday July 29, 2010
Time: 15:15 - 16:30
Location: Augustus 1+2
Track: Exploitation

Over the years, heap exploitation has continued to increase in difficulty, along with the complexity of heap algorithms and data structures. Due to anti-exploitation counter measures and lack of comprehensive heap knowledge, reliable exploitation has severely declined. Understanding of the inner workings of a memory manager can be the difference between unreliable failure and precise exploitation.

Beginning with Vista, the Low-Fragmentation heap has been the default front-end memory manager for the Windows operating system. This new front-end manager brought with it a different set of data structures and algorithms that replaced the lookaside list. This new system also changed the way back-end memory management works as well. All of this material must be reviewed to understand the repercussions of creating and destroying objects within an application on Windows 7.

This talk covers the following:

While the Windows XP still has a grasp on the total market share of machines on the internet today, Windows 7 will increasingly replace this now aging operating system. Knowledge of these new memory constructs is vital to providing reliable exploitation in an unreliable environment.

The main goal of this presentation will be to educate the audience on what has changed in newer versions of Windows with regard to the memory manager. Not only will the changes be discussed, but they will be covered in great detail; providing attendees high-granularity insight into the core of the Windows operating system. By understanding the algorithmic changes, exploitation challenges can be more easily overcome, and knowledge of the internal data structures will provide exploit writers the details they require for manipulating objects.

Specifically, new data structures such as LFH ‘UserBlocks’, ‘BlocksIndex’ and ‘SubSegments’ will be discussed to show how the front-end manager keeps track of memory. Additionally, functions such as ‘RtlpLowFragHeapFree()’ and ‘RtlpLowFragHeapAllocFromContext()’ will be thoroughly investigated providing the audience exact context of allocations and frees. Along with analysis of current methods, I will also examine new counter measures introduced in Windows Vista / Windows 7.

Once the attendees have been provided knowledge about the underlying algorithms and data structures, I will then cover aspects of heap determinism. These will focus on seeding data within the heap for exploitation purposes. Data population is necessary for exploitation of use-after-free vulnerabilities and adjacent placement of heap chunks is required for overwriting selected data.

Finally, I will be presenting an example exploit, providing practicality to the previously discussed material. This will be coupled with some newly created heap visualization tools providing greater vision into the Low-Fragmentation heap. Hopefully all this information can be used to fully comprehend the new memory manager and ensure reliable exploitation against all odds.

Christopher Valasek

IBM: X-Force Chris Valasek is a security researcher on IBM X-Force’s Advance Research and Development team. He specializes in vulnerability analysis and exploitation, specifically in the area of the Windows heap. While not avoiding work, he continues to work on long term research projects in varying areas of computer security. He is also the current organizer/playboy of SummerCon (http://www.summercon.org), the nation’s oldest hacker conference.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats