Linux Heap Exploitation

Event Information

Share this event

Date and Time

Location

Location

InfoSect

U2 / 9 Beaconsfield Street

Fyshwick, ACT 2609

Australia

View Map

Event description

Description

This 3 day course will give an in depth examination of the current Linux heap allocator (ptmalloc2) in the context of exploit development. The lectures and labs will look at numerous ways to misuse the allocator on the latest versions of glibc in Ubuntu 19.04 and Ubuntu 18.04 LTS.

To achieve these attacks we will have detailed examinations of the main heap structures including the tcache, the bins, malloc chunks, and arenas.

These attacks will be used to gain such primitives as:

  • Having malloc return an arbitrary pointer
  • Having allocated chunks overlap each other
  • Returning the same allocated memory
  • Having calloc return uninitialised memory
  • Leaking the libc base and other sensitive information

We will cover topics such as:

  • Poisoning the tcache
  • Use after frees
  • Double frees in the tcache and fast bins
  • House of Spirit
  • House of Force (Ubuntu 18.04 LTS)
  • Poisoning the fast bins
  • Grooming the heap for the above attacks
  • And more…

For a modern view of heap exploitation, this is a valuable course to attend.

Course Objectives

To learn and demonstrate attacks on the current Linux heap allocator to gain exploitation primtives.

Training Outcomes

  • Demonstrate understanding of the heap data structures
  • Demonstrate debugging heap data structures
  • Demonstrate attacks against the heap

Who Should Attend?

  • Developers
  • IT Professionals
  • Embedded Developers
  • OS Developers
  • Penetration Testers
  • Software Security Auditers/Analysts
  • Vulnerability Researchers
  • Software Exploitation Developers
  • Anyone else interested

About the Trainer

Dr Silvio Cesare is the Managing Director at InfoSect. He has worked in technical roles and been involved in computer security for over 20 years. This period includes time in Silicon Valley in the USA, France, and Australia. He has worked commercially in both defensive and offensive roles within engineering. He has reported hundreds of software bugs and vulnerabilities in Operating Systems kernels. He was previously the Director for Education and Training at UNSW Canberra Cyber, ensuring quality content and delivery. In his early career, he was the scanner architect and a C developer at Qualys. He is also the co-founder of BSides Canberra – Australia’s largest cyber security conference. He has a Ph.D. from Deakin University and has published within industry and academia, is a 4-time Black Hat speaker, gone through academic research commercialisation, and authored a book (Software Similarity and Classification, published by Springer).

What to Bring

  • All materials are provided by InfoSect

What Will be Provided?

  • Laptops for class use
  • Coil bound lecture materials
  • Catering provided.
  • Access to VMs with laboratories
  • InfoSect Swag

Participant Skillset

Students taking Linux Heap Exploitation should have an intermediate C Development background. They should have hands on experience in:

  • C Coding Experience
  • Linux

InfoSect’s Code Review course is a suitable prerequisite.

Class Syllabus **

Day 1

  1. Heap Misuse
  2. Control Flow Hijacking
  3. Heap Data Structures
  4. Debugging
  5. TCache Poisoning
  6. TCache Double Free
  7. Fast Bin Double Free

Day 2

  1. Overlapping Chunks
  2. Calloc I
  3. Calloc II
  4. House of Force
  5. Double Free Mitigation Bypass

Day 3

  1. TCache House of Spirit
  2. Fast Bin Poisoning I
  3. Fast Bin Poisoning II
  4. Unsorted Bin Libc Base Leak

** subject to changes

Date and Time

Location

InfoSect

U2 / 9 Beaconsfield Street

Fyshwick, ACT 2609

Australia

View Map

Save This Event

Event Saved