ENPM809V

Dynamic Memory Vulnerabilities

Today's Lesson

Objective: Memory Allocator/Heap Vulnerabilities
- Learn about different areas in memory
- The Dangers of Heap
- Memory Allocators and Their Vulnerabilities
- Exploiting Memory Allocators

Review: ELF Regions of Memory

ELF .text: where the code lives
ELF .plt: where library function stubs live
ELF .got: where pointers to imported symbols live
ELF .bss: used for uninitialized global writable data (such as global arrays without initial values)
ELF .data: used for pre-initialized global writable data (such as global arrays with initial values)
ELF .rodata: used for global read-only data (such as string constants)
stack: local variables, temporary storage, call stack metadata

Stack Vs Heap

stack: local variables, temporary storage, call stack metadata
heap: long-lasting dynamically allocated memory

Stack data lasts per function while heap memory is there until freed.

Kernel Space

Stack

Memory Mapping Region

Heap

BSS Segment

Data Section

Text Segment (ELF)

...

Dynamic Memory Handling

The Basics

Dynamic memory is synonymous with the heap of a program
C Programmers use functions like malloc and realoc to allocate memory while the program is running.
- Not possible with the stack.

Caveats

All dynamically allocated memory must be freed by the program
Any memory not freed is considered leaked
Dynamically allocated memory is referenced by pointers
- Meaning we can access memory that has been freed.

Heap Implementations

There are many different implementations that use different algorithms
- Goal is to either make it faster or more secure
They all have some constant concepts:
- Chunks - Allocations of the heap
- Bins - Linked lists of free chunks.
  - To make it faster to reallocate memory of the same size
  - Each bin is of the same size

Goal of Heap Implementations

Per the original malloc() author here:
Maximizing Compatibility
Maximizing Portability
Minimizing Space
Minimizing Time
Maximizing Tunability
Maximizing Locality
Maximizing Error Detection

What is a chunk?

A structure containing metadata and data that the user dynamically allocated
- Multiple chunks form a linked list
  - Each chunk points to the next chunk
  - Chunk structure may vary based on chunk size

What is a chunk?

Common Dynamic Allocators

malloc() - allocate some memory
- Based on ptmalloc
free() - free an allocated memory chunk
realloc() - change the size of an allocated memory chunk
calloc() - allocate and zero-out memory chunk.

For Linux, use the GNU Libc implementation

Ideas for Getting Heap Memory

mmap()
- Dynamically allocate pages of memory (4096 bytes)
- Requires Kernel Involvement
- System call

Potentially create a dynamic allocation around it, but not ideal.

Various Dynamic Allocators Implementations

dlmalloc() - First Dynamic allocator release by Doug Lea
ptmalloc() - POSIX Thread aware fork of dlmalloc
jemalloc() - FreeBSD, FireFox, and Android
Segment Heap and NT Heap - Windows
Kernel Allocators
- kmalloc

Let's Focus on ptmalloc

ptmalloc() does not use mmap
Uses the GNU Allocator in Libc
Utilizes the Data Segment to dynamically allocate memory
- Historic Oddity
Managed by the brk and sbrk system calls

Note: Only for small allocations. For large allocations, it uses mmap.

Dangers of the Heap

Developer Mindset for Building Dynamic Allocators

Allocator Developers focus on speed over security
Create optimizations with unintended consequences
- Security researchers then create exploits
- After unintended consequences are exploited, patches are applied

Non-Allocator Vulnerabilities

Forgetting to free memory
- DDOS, system crashing, resource exhaustion
Forgetting memory was already freed
- Using freed memory
- Double Free
Heap buffer overflow
Corrupting metadata used to trach state
- tcache poisoning (will get to soon)

How Can This be Vulnerable?

int main()
{
    char *some_data = malloc(256);
    scanf("%s", some_data);
    printf("%s\n", some_data);

    char really_long_string[512] = {'A'}
    strncpy(
    	some_data,
    	really_long_string,
        strnlen(really_long_string, 512)); 
    
    free(some_data); 

    return 0;
}

int main()
{
    char *some_data = malloc(256);
    scanf("%s", some_data);
    printf("%s\n", some_data);
    
    // Make sure it is freed. 
    free(some_data); 
    
    scanf("%s", some_data);
    
    if (strncmp(some_data, PASSWORD, 256))
    {
    	printf("I am authenticated\n"); 
    }
    
    return 0;
}

int main()
{
    char *some_data = malloc(256);
    scanf("%s", some_data);
    printf("%s\n", some_data);
    /* You put code here */ 
    
    /* End of your code */ 
    return 0;
}

int main()
{
    char *some_data = malloc(256);
    scanf("%s", some_data);
    printf("%s\n", some_data);

    free(some_data);    
    free(some_data); 

    return 0;
}

Use After Free

What is it?

Anytime memory gets used after it has been freed.
Can produced undefined behavior in a program
- Can use memory that is reallocated
- Can cause the program to crash
Why is this case?
- The memory in question can be allocated by another program.

Use After Free

int vuln()
{
	char *buffer; 
    int size = 0; 
  	printf("Size of buffer: ");
    scanf("%d", &size);
    
    // Allocating Memory
    buffer = malloc(size); 
   	printf("Input: "); 
    scanf("%s", buffer);
  	printf("%s\n", buffer); 
    
    // What happens here?
    free(buffer);
    printf("Print again: %s\n", buffer); 
    
    return 0;
}

int vuln()
{
	char *buffer; 
    int size = 0; 
  	printf("Size of buffer: ");
    scanf("%d", &size);
    
    // Allocating Memory
    buffer = malloc(size); 
   	printf("Input: "); 
    scanf("%s", buffer);
  	printf("%s\n", buffer); 
    
    // What happens here?
    free(buffer);
    buffer = NULL;
    
    printf("Print again: %s\n", buffer); 
    
    return 0;
}

Heap-Overflow

The same as a buffer overflow, except we are doing it in the heap.
We use this to manipulate data or pointers in dynamic memory
- If a function calls a function pointer
- Changing the value of a variable

Classwork/Demo

Double Free

int vuln()
{
	char *buffer; 
    int size = 0; 
  	printf("Size of buffer: ");
    scanf("%d", &size);
    
    // Allocating Memory
    buffer = malloc(size); 
   	printf("Input: "); 
    scanf("%s", buffer);
  	printf("%s\n", buffer); 
    
    // What happens here?
    free(buffer);
    free(buffer);
    
    return 0;
}

Double Free

Causes a write what where exploit which allows you to do arbitrary writes
- Allows us to change registers and important data
- Especially valuable for binning/heap allocator vulnerabilities

Metadata

Per Chunk Metadata

Also generated by ptmalloc
Tracks addresses that are allocated
malloc(x) returns the memory address, but ptmalloc tracks the size (and previous size)
- prev_size is not used by tcache
- the last three bytes of size are flags
  - Bit 0: PREV_IN_USE
  - Bit 1: IS_MMAPPED
  - Bit 2: NON_MAIN_ARENA

unsigned long mchunk_prev_size;

unsigned long mchunk_size;

Dynamically Allocated Memory Chunk

chunk_addr

mem_addr:

prev_size

size

a[0]

a[1]

size

b[0]

b[1]

chunk1: int *a = malloc(0x8)

chunk1: int *b = malloc(0x8)

Per Chunk Metadata Overlapping

Note: Only applies if PREV_INUSE flag is set

prev_size

size

a[0]

a[1]

size

b[0]

b[1]

chunk1: int *a = malloc(0x8)

chunk1: int *b = malloc(0x8)

Per Chunk Metadata Overlapping

Note: Only applies if PREV_INUSE flag is set

What about being freed?

unsigned long mchunk_prev_size;

unsigned long mchunk_size;

Dynamically Allocated Memory Chunk

b[1]

unsigned long mchunk_prev_size;

unsigned long mchunk_size;

Cache-Specific Metadata

Bins

What are they?

Bins are chunks of freed memory of similar size so that they can be quickly be re-used.
They are put in as the very last step if all else fails during the free process.

What are the steps for freeing?

If the chunk has the M bit set in the metadata, the allocation was allocated off-heap and should be munmaped.
Otherwise, if the chunk before this one is free, the chunk is merged backwards to create a bigger free chunk.
Similarly, if the chunk after this one is free, the chunk is merged forwards to create a bigger free chunk.
If this potentially-larger chunk borders the “top” of the heap, the whole chunk is absorbed into the end of the heap, rather than stored in a “bin”.
Otherwise, the chunk is marked as free and placed in an appropriate bin.

Implementations

Multiple Implementations
- Small Bins, Large Bins, Fast Bins, Tcache (per-thread)
Each have their own benefits and drawbacks
Generally implemented as a linked list

Unoptimized Bins

Unsorted, Small and Large bins are the unopimized version of the heap-manager binning system.
Each contain various sizes of freed chunks
Simple implementation, bins shared by all processes/threads

Small/Large Bins

Small bins
- Stores up to 512/1024 byte chunks (32/64 bit systems)
- 62 total bins
Large Bins
- Stores chunks greater than 512/1024 bytes (32/64 bit systems)
- 63 total bins
Small/Large bins can be merged together to free up bins

Bin #

prev_size

Chunk Size

FD Pointer

BK Pointer

Unused Space

prev_size

Chunk Size

FD Pointer

BK Pointer

Unused Space

Small/Large Bins

This is incredibly useful because we have a pre-ordered
Differences:
- Small bins are binned based on exact size
- Large bins are based on size range

Bin #

prev_size

Chunk Size = 10

FD Pointer

BK Pointer

Unused Space

prev_size

Chunk Size = 10

FD Pointer

BK Pointer

Unused Space

Unsorted Bin

Optimization by the heap manager
Based on the observation that many frees are followed by allocations of similar sizes
Saves time from putting chunks in the correct bin

Bin #

prev_size

Chunk Size = 10

FD Pointer

BK Pointer

Unused Space

prev_size

Chunk Size = 64

FD Pointer

BK Pointer

Unused Space

Fast Bins

A further optimization of the previous binning strategies
Keeps recently released small chunks on a fast turnaround queue.
- Only 10 such fast bins of sizes 16 through 80 (incrementing by 8).
Bins are never merged by their neighbors
Cons: Fast-Bins are never truly freed/merged with other bins

Bin #

prev_size

Chunk Size = 10

FD Pointer

BK Pointer

Unused Space

prev_size

Chunk Size = 64

FD Pointer

BK Pointer

Unused Space

Credit to pwn.college

More Informatioon

https://azeria-labs.com/heap-exploitation-part-2-glibc-heap-free-bins

tcache

What is tacache?

Definition: Thread-Local-Caching
Used in ptmalloc to speed up small-repeated allocations in a single thread
Implemented in a singly-linked list
- Each thread has its own list of headers containing metadata about the memory regions

What is tacache?

typedef struct tcache_perthread_struct
{
  char counts[TCACHE_MAX_BINS];
  tcache_entry *entries[TCACHE_MAX_BINS];
} tcache_perthread_struct;

typedef struct tcache_entry
{
  struct tcache_entry *next;
  struct tcache_perthread_struct *key;
} tcache_entry;

Example In Use

a = malloc(16);
b = malloc(16);
c = malloc(32);
d = malloc(32);

free(b);
free(a);
free(c);
free(d);

tcache_perthread_struct -- Mike

counts:

entries:

count_16 = 0

count_32 = 0

entry_16 = NULL

entry_32 = NULL

tcache entry B

next: NULL

Key: NULL

tcache entry C

next: NULL

Key: NULL

tcache entry A

next: NULL

Key: NULL

tcache entry D

next: NULL

Key: NULL

Example In Use

a = malloc(16);
b = malloc(16);
c = malloc(32);
d = malloc(32);

free(b);
free(a);
free(c);
free(d);

tcache_perthread_struct -- Mike

counts:

entries:

count_16 = 1

count_32 = 0

entry_16 = B

entry_32 = NULL

tcache entry B

next: NULL

Key: Mike

tcache entry C

next: NULL

Key: NULL

tcache entry A

next: NULL

Key: NULL

tcache entry D

next: NULL

Key: NULL

Example In Use

a = malloc(16);
b = malloc(16);
c = malloc(32);
d = malloc(32);

free(b);
free(a);
free(c);
free(d);

tcache_perthread_struct -- Mike

counts:

entries:

count_16 = 2

count_32 = 0

entry_16 = B

entry_32 = NULL

tcache entry B

next: A

Key: Mike

tcache entry C

next: NULL

Key: NULL

tcache entry A

next: NULL

Key: Mike

tcache entry D

next: NULL

Key: NULL

Example In Use

a = malloc(16);
b = malloc(16);
c = malloc(32);
d = malloc(32);

free(b);
free(a);
free(c);
free(d);

tcache_perthread_struct -- Mike

counts:

entries:

count_16 = 2

count_32 = 1

entry_16 = B

entry_32 = C

tcache entry B

next: A

Key: Mike

tcache entry C

next: NULL

Key: Mike

tcache entry A

next: NULL

Key: Mike

tcache entry D

next: NULL

Key: NULL

Example In Use

a = malloc(16);
b = malloc(16);
c = malloc(32);
d = malloc(32);

free(b);
free(a);
free(c);
free(d);

tcache_perthread_struct -- Mike

counts:

entries:

count_16 = 2

count_32 = 2

entry_16 = B

entry_32 = C

tcache entry B

next: A

Key: Mike

tcache entry C

next: D

Key: Mike

tcache entry A

next: NULL

Key: Mike

tcache entry D

next: NULL

Key: Mike

What is actually happening on Free?

tcache selects the right bin to put the freed memory
- Based on size
Ensures that the entry hasn't been freed already
- Prevent double frees
Put the freed memory into it's proper list
Record it inside of the tcache_perthread_struct

How do we retrieve a cached memory chunk?

Choose the bin based on size of chunk requested
Check to see if there areany entries
If there are entries, reuse them

What is not done?

Clearing all sensitive pointers (only key is cleared)
Checking if the next address makes sense

Example In Use

a2 = malloc(16);
b2 = malloc(16);
c2 = malloc(32);
d2 = malloc(32);

tcache_perthread_struct -- Mike

counts:

entries:

count_16 = 2

count_32 = 2

entry_16 = B

entry_32 = C

tcache entry B

next: A

Key: Mike

tcache entry C

next: D

Key: Mike

tcache entry A

next: NULL

Key: Mike

tcache entry D

next: NULL

Key: Mike

Example In Use

a2 = malloc(16);
b2 = malloc(16);
c2 = malloc(32);
d2 = malloc(32);

tcache_perthread_struct -- Mike

counts:

entries:

count_16 = 1

count_32 = 2

entry_16 = A

entry_32 = C

tcache entry B

next: NULL

Key: NULL

tcache entry C

next: D

Key: Mike

tcache entry A

next: NULL

Key: Mike

tcache entry D

next: NULL

Key: Mike

Example In Use

a2 = malloc(16);
b2 = malloc(16);
c2 = malloc(32);
d2 = malloc(32);

tcache_perthread_struct -- Mike

counts:

entries:

count_16 = 0

count_32 = 2

entry_16 = NULL

entry_32 = C

tcache entry B

next: NULL

Key: NULL

tcache entry C

next: D

Key: Mike

tcache entry A

next: NULL

Key: NULL

tcache entry D

next: NULL

Key: Mike

Example In Use

a2 = malloc(16);
b2 = malloc(16);
c2 = malloc(32);
d2 = malloc(32);

tcache_perthread_struct -- Mike

counts:

entries:

count_16 = 0

count_32 = 1

entry_16 = NULL

entry_32 = D

tcache entry B

next: NULL

Key: NULL

tcache entry C

next: NULL

Key: NULL

tcache entry A

next: NULL

Key: NULL

tcache entry D

next: NULL

Key: Mike

Example In Use

a2 = malloc(16);
b2 = malloc(16);
c2 = malloc(32);
d2 = malloc(32);

tcache_perthread_struct -- Mike

counts:

entries:

count_16 = 0

count_32 = 0

entry_16 = NULL

entry_32 = NULL

tcache entry B

next: NULL

Key: NULL

tcache entry C

next: NULL

Key: NULL

tcache entry A

next: NULL

Key: NULL

tcache entry D

next: NULL

Key: NULL

Exploiting Bins

Bin Exploitation

Bin Exploitation come and go based on version of Libc
- The one for the homework is for < version LIBC 2.29
They are based on the core heap-based vulnerabilities
- Double Free
- Use After Free
- Etc.

Consolidation/Moving Between Bins

A correctly sized malloc can change which bins a chunk is located
- Cause Consolidation by moving from unsorted to small/large bin, clearing fast bins
- Move from small bin into tcache
- etc.

Fake Chunks

Carefully creating a region of memory with heap-metadata in it can trick the heap allocator to think it's another chunk of memory!

Depends on specifics of the program (and sometimes LIBC too)
Can result in broken heap

Fake Chunks

What are some things we might need to include in the metadata structure?

Might need a prev chunk pointer
Might need a prev_size value
All depends on what the implementation of the meatdata is like

Homework

Memory Corruption in the Heap

Various in-class heap-based exploitation
- Overwriting Heap Data
- Bin poisoning

Additional Resources

Azeria Labs
How2Heap
Pwn College
- Dynamic Allocator Misuse
- Dynamic Allocator Exploitation