Introduced in Windows 10, Segment Heap is the native heap used in Windows app (formerly called Modern/Metro app) processes and certain system processes. This heap is an addition to the well-researched and widely documented NT heap that is still used in traditional application processes and in certain types of allocations in Windows app processes.
One important aspect of the Segment Heap is that it is enabled for Microsoft Edge which means that components/dependencies running in Edge that do not use a custom heap manager will use the Segment Heap. Therefore, reliably exploiting memory corruption vulnerabilities in these Edge components/dependencies would require some level of understanding of the Segment Heap.
In this presentation, I'll discuss the data structures, algorithms and security mechanisms of the Segment Heap. Knowledge of the Segment Heap is also applied by discussing and demonstrating how a memory corruption vulnerability in the Microsoft WinRT PDF library (CVE-2016-0117) is used to create a reliable write primitive in the context of the Edge content process.
Mark Vincent Yason is a security researcher on IBM's X-Force Advanced Researchteam. Mark's current focus areas are browser-based vulnerability/exploitresearch, browser exploit kits research, and advanced malware research. Heauthored the papers 'The Art of Unpacking,' 'Diving Into IE 10's EnhancedProtected Mode Sandbox,' and 'Understanding the Attack Surface and AttackResilience of Project Spartan's New EdgeHTML Rendering Engine'. He co-authoredthe papers 'Reversing C++,' 'Playing In The Reader X Sandbox,' and 'DiggingDeep Into The Flash Sandboxes', all of which were previously presented atBlack Hat.