Top Banner

Click here to load reader

Windows 8 Heap Internals final - 8 Heap Internals (Slides).pdf · PDF fileWindows 8 Heap Internals Why • Learn how the Heap Manager and Kernel Pool Allocator work (in detail) –

Sep 19, 2018

ReportDownload

Documents

  • Windows8HeapInternals

    Windows8HeapInternals

  • Windows8HeapInternals

    INTRODUCTION

    Windows8HeapInternals

  • Windows8HeapInternals

    Who

    ChrisValasek (@nudehaberdasher) Sr.ResearchScientist Coverity

    Tarjei Mandt (@kernelpool) VulnerabilityResearcher AzimuthSecurity

  • Windows8HeapInternals

    What

    Windows8ReleasePreview Heapmanagerspecifics ExploitationtechniquesforWindows8heap Prerequisitereading

    UnderstandingtheLFH http://illmatics.com/Understanding_the_LFH.pdf http://illmatics.com/Understanding_the_LFH_Slides.pdf

    ModernKernelPoolExploitation http://www.mista.nu/research/kernelpool_infiltrate2011.pdf

    Kostya,Hawkes,Halvar,McDonald,Moore,etc

  • Windows8HeapInternals

    Why

    LearnhowtheHeapManagerandKernelPoolAllocatorwork(indetail) PLEASEreadthepaperifyouwantfulldetails,thispresentationjusttouchesthesurface

    HeapexploitsthatworkedonWindows7willmostlikelyNOTworkonWindows8

    Letsfindoutwhy

  • Windows8HeapInternals

    UserLandBackEnd

    Windows8HeapInternals

  • Windows8HeapInternals

    Windows8Backend

    SlightlymodifiedversionoftheWindows7backend[RtlpAllocateHeap()]

    Mitigations1. Freeingof_HEAPstructuresisprohibited

    (R.I.PBenHawkestech)2. Virtuallyallocatedchunksnowhaverandomized

    locality/size

  • Windows8HeapInternals

    Windows8Backend(cont.)

  • Windows8HeapInternals

    BackendMitigationI

    Preventsthefreeingandsubsequentallocationofa_HEAPstructureinRtlpFreeHeap(). https://www.lateralsecurity.com/downloads/hawkes_ruxconnov

    2008.pdf Althoughthedirectoverwritingcanstilloccur,itisunlikely

    SameholdstrueforRtlpReAllocateHeap()

  • Windows8HeapInternals

    BackendMitigationI(cont.)

    RtlpFreeHeap(_HEAP*heap,DWORDflags,void*header,void*mem){ . . . if(heap==header) { RtlpLogHeapFailure(9,heap,header,0,0,0); return0; } . . .}

  • Windows8HeapInternals

    BackendMitigationII

    ChunkthatexceedstheVirtualMemoryThreshold willbeservicedbyNtAllocateVirtualMemory()

    Previously,theallocationsoccurredwithapotentialforsemipredictablelocationsandsizes

    ChangeshavebeenmadetoaddarandomoffsettothebaseaddresswhenallocatinglargechunksinRtlpAllocateHeap()

    Hopetoencapsulatevirtualchunkininaccessiblememory(MEM_RESERVE)

    Note:IfsafelinkingfailstheapplicationwillonlyterminateifHeapTerminateOnCorruption hasbeensetviaHeapSetInformation(),otherwisethechunkisNOT linkedinbutstillRETURNED

  • Windows8HeapInternals

    BackendMitigationII//VirtualMemoryThresholdsetto0x7F000inCreateHeap()intrequest_size=Round(request_size)intblock_size=request_size/8;if(block_size>heap>VirtualMemoryThreshold){ intrand_offset=(RtlpHeapGenerateRandomValue32()&0xF)

  • Windows8HeapInternals

    UserLandFrontEnd

    Windows8HeapInternals

  • Windows8HeapInternals

    Windows8FrontEnd

    Majorchangestoallocationandfreealgorithmsandmoderatechangestointegraldatastructures

    RtlpLowFragHeapAllocFromContext()willnotbeamatchedfunctionbyBinDiff betweenWindows7andWindows8

    Mostlythesamedatastructuresbutoffsetsandmembershavechangedabit

  • Windows8HeapInternals

    Windows8FrontEndMitigations Mitigations

    1. FrontEndActivation Dedicatedcounters/indexinsteadofListHint>Blink FrontEndHeapUsageData[](Seepaper)

    2. FrontEndAllocation FreeEntryOffset removed Nondeterministicallocations

    3. FastFail RtlpLowFragHeapAllocFromZone()implementsfastfail

    AlsoadditionalcheckingcomparedtoWindows74. GuardPages5. ArbitraryFreeMitigation6. ExceptionHandlingRemoval

  • Windows8HeapInternals

    Windows7FrontEnd

  • Windows8HeapInternals

    Windows7FrontEndAllocation0

  • Windows8HeapInternals

    Windows7FrontEndAllocationI

  • Windows8HeapInternals

    Windows7FrontEndAllocationII

  • Windows8HeapInternals

    Windows7FrontEndAllocationIII

  • Windows8HeapInternals

    Windows8FrontEnd

  • Windows8HeapInternals

    Windows8Randomization

    RtlpLowFragHeapRandomData initializedfromRtlpCreateLowFragHeap andSlotIndex isupdatedon_HEAP_SUBSEGMENTcreation[RtlpSubSegmentInitialize()]

    RtlpInitializeLfhRandomDataArray(){ intRandIndex=0; do { //ensurethatallbytesareunsigned intnewrand1=RtlpHeapGenerateRandomValue32()&0x7F7F7F7F; intnewrand2=RtlpHeapGenerateRandomValue32()&0x7F7F7F7F; RtlpLowFragHeapRandomData[RandIndex]=newrand1; RtlpLowFragHeapRandomData[RandIndex+1]=newrand2; RandIndex+=2; } while(RandIndex

  • Windows8HeapInternals

    Windows8FrontEndAllocation0

  • Windows8HeapInternals

    Windows8FrontEndAllocationI

  • Windows8HeapInternals

    Windows8FrontEndAllocationII

  • Windows8HeapInternals

    Windows8FrontEndAllocationIII

  • Windows8HeapInternals

    Win7vsWin8Allocation

    Windows7 WillsequentiallyallocatechunksfromtheUserBlock NovalidationofFreeEntryOffset,henceitcanbeoverwrittenandusedasanexploitationprimitive

    Windows8 Randomizedarrayusedtosearchabitmap Bitmapwillselectthechunk,updateitselfanduseadifferentrandomlocationeachtime

    Heapdeterminismgoesdownsignificantly FreeEntryOffsetnolongerkeptinuserdata,thereforeFreeEntryOffsetOverwritetechniquehasdied

  • Windows8HeapInternals

    Windows8FrontEndMitigationIII

    FastFail INT0x29Interupt Designedtoensurefastfailing

    http://www.alexionescu.com/?p=69 SearchCD29(x86)andfindinstancesalloverntdll.dll

    OnlyoneassertionintheLFH,otherwiseusetheRtlpLogHeapFailure()functionandrelyuponHeapTerminateOnCorruption flag

  • Windows8HeapInternals

    Windows8FrontEndMitigationIII BadNews:Windows8checksLFH>SubSegmentZones

    GoodNews:Windows7haslessstrictchecks Potentialforwrite4primitive

    _HEAP_SUBSEGMENT*RtlpLowFragHeapAllocateFromZone(_LFH_HEAP*LFH,intAffinityIndex){ . . . _LIST_ENTRY*subseg_zones=&LFH>SubSegmentZones; if(LFH>SubSegmentZones>Flink>Blink!=subseg_zones|| LFH>SubSegmentZones>Blink>Flink!=subseg_zones) __asm{int29};}

  • Windows8HeapInternals

    WindowsFrontEndMitigationIV

    GuardPageswereaddedbetween_HEAP_USERDATA_HEADERobjectstofoiloverwritesandheapspraying

    Therefore,anoverflowwillneedtoexistinthesameUserBlock,potentiallyguardingotherUserBlock containrs.

    AfteracertainamountofchunksexistforacertainsizeaguardpagewillbeaddedforsubsequentUserBlock creations

    Ifpage_shift ==0x12||total_blocks >=0x400 Addaguardpagetotheallocation

  • Windows8HeapInternals

    WindowsFrontEndMitigationIVRtlpLowFragHeapAllocFromContext(){ . . //determineifweshoulduseaguardpage set_guard=false; //Thetotalamountofchunksavailablefora_HEAP_SUBSEGMENT inttotal_block=HeapLocalSegInfo>Counters.TotalBlocks; if(total_blocks>0x400) total_blocks=0x400; //thereareotheroperationshere,leftoutforbrevity intpage_shift=7; intreq_size=total_blocks*RtlpBucketBlockSizes[HeapBucket>SizeIndex]+8; req_size=req_size+Round32(total_blocks)+0x24; do page_shift++; while(req_size>>page_shift); if(page_shift==0x12||total_blocks>=0x400) set_guard=true; //willallocatememoryfortheUserBlocksandaddaguardpageifnecessary RtlpAllocateUserBlock(LFH,page_shift,BucketByteSize,set_guard); . .}

  • Windows8HeapInternals

    WindowsFrontEndMitigationIV

    RtlpAllocateUserBlockFromHeap(_HEAP*heap,int size,boolset_guard){ . . _HEAP_USERDATA_HEADER*user_block=RtlAllocateHeap(heap,0x800001,size8); if(set_guard) { intpage_size=0x1000; //getthepagealignedaddressthencaluculatethesize //plusonepage(0x1000) intpage_end_addr=(user_block+(size8)+0xFFF)&0xFFFFF000; intnew_size=page_end_addruser_block+page_size; //reallocatewithanadditionalpageofmemoryappended user_block=RtlReAllocateHeap(heap,0x800001,user_block,new_size); //makethelastpageofthismemoryPAGE_NOACCESS ZwProtectVirtualMemory(1,&new_size,&page_size,PAGE_NOACCESS,&output); user_block>GuardPagePresent=true; } returnuser_block;}

    RtlpAllocateUserBlock callsRtlpAllocateUserBlockFromHeap

  • Windows8HeapInternals

    WindowsFrontEndMitigationIV

  • Windows8HeapInternals

    WindowsFrontEndMitigationV

    BenHawkesdevisedatechniquetoturnanoverwriteofaLFHchunkintoasemiarbitraryfree https://www.lateralsecurity.com/downloads/hawkes_ruxconnov

    2008.pdf OverwriteFlagsandIndextopointatavalidchunkwithinthe

    UserBlock Thereforeyoucantaintaoverflowedheader,pointtoalegitimate,in

    usechunkandfreeit Win!

    Therearecheckstoensurethatthiswillnolongerwork

  • Windows8HeapInternals

    WindowsFrontEndMitigationV

    RtlFreeHeap(_HEAP*Heap,DWORDFlags,void *Mem){ . . //iftheheaderdenotesadifferentsegment //thenadjusttheheaderaccordingly _HEAP_ENTRY*header=Mem8; if(Mem1==0x5) header=8*header>SegmentOffset; if(!(header>UnusedBytes&0x3F)) { //thiswillpreventthechunkfrombeingfreed RtlpLogHeapFailure(8,Heap,header,0,0,0); header=NULL; } . .}

  • Windows8HeapInternals

    WindowsFrontEndMitigationV

    if(Mem1==0x5) { //thischunkwasfromtheLFH if(header>UnusedBytes&0x80) { //ensuresthattheheadervalueshaven'tbeenaltered if(!RtlpValidateLFHBlock(Heap,header)) { RtlpLogHeapFailure(3,Heap,header,Mem,0,0); return0; } } }

  • Windows8HeapInternals

    Windows8FrontEndMitigationVI

    Windows7wrappedRtlpLowFragHeapAllocFromContext()inatry/catchthatwouldhandleanyexception

    Ivespeculatedthatthiscouldbeusedtobruteforceaddressoverwritesifmultiplememorycorruptionswereapossibility.

    ThisisREMOVEDinWindows8

  • Windows8HeapInternals

    SummaryPrimitive WindowsVista Windows7 Windows 8(RP)

    Heap HandleProtection

    Virtua

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.