This course aims to teach learners how to exploit the jemalloc memory allocator, particularly focusing on attacking Firefox's heap. The learning outcomes include understanding the architecture of the jemalloc heap manager, identifying attack vectors, developing exploitation approaches and primitives, and demonstrating the impact of these techniques on Mozilla Firefox. The course covers topics such as jemalloc flavors, SMP systems, chunks, runs, regions, bins, allocation algorithm, exploitation techniques like adjacent memory overwrite and run header corruption, as well as debugging tools. The teaching method involves a case study on Mozilla Firefox and releasing a jemalloc debugging tool belt. This course is intended for researchers interested in memory exploitation, security professionals, and individuals looking to deepen their understanding of heap manipulation vulnerabilities.
Exploiting the Jemalloc Memory Allocator - Owning Firefox's Heap
Overview
Syllabus
Intro
Outline
jemalloc flavors... yummy
SMP systems & multithreaded applications
jemalloc overview
Central concepts
jemalloc basic design
Chunks (arena_chunk_t)
Runs (arena_run_t)
Regions
Region size classes
Bins (arena bin_t)
Architecture of jemalloc
Allocation algorithm
No unlinking, no frontlinking
Exploitation techniques
Adjacent memory overwrite
Run header corruption
OS X and gdb/Python
unmask_jemalloc
Firefox heap manipulation
CVE-2011-3026
The vulnerability
Mitigations
Redzone
Concluding remarks
Acknowledgements
References
Taught by
Black Hat
