Agustin Gianni (Immunity)

Attacking the Webkit Heap

WebKit provides the backbone for an increasing number of Web Browsers, including Safari, Chrome and the Android browser. Within these browsers we see it coupled with the TCMalloc allocator to manage dynamic memory allocation. This common combination means that understanding of WebKit heap manipulation techniques and TCMalloc heap management algorithms and structures is very useful for reliable exploit development. In this talk we will explain the TCMalloc allocator from the point of view of heap manipulation and exploitation.

We will discuss techniques for crafting its internal layout accurately through WebKit\'s Javascript engine with the aim of setting up the heap for exploitation. Due to the similarities across browsers this information is quite portable and will give base primitives for exploit development.
As is often the case with custom heap allocators, TCMalloc has far weaker (or entirely absent) protections than those offered by the core Windows, Linux or OS X allocators.
Finally, in an illustration of exploit dev necromancy we will plunder TCMalloc and resurrect some of your favourite exploitation strategies from allocators-past.

Sobre Agustin Gianni

Agustin is a security researcher with Immunity. His primary interests are system programming, reverse engineering and exploit development. Before joining Immunity Agustin was an independent researcher and developed tools related with network security and reverse engineering.

« volver a Speakers