Dynamic Memory Allocation: Implementation and Misuse
Pratik Prasad Devkota*
Department of Software Engineering, Nepal College of Information Technology, Nepal
*Corresponding Author: Pratik Prasad Devkota, Department of Software Engineering, Nepal College of Information Technology, Nepal.
Published: April 12, 2024
Abstract
Heap is a topic of interest among security researchers and exploit developers who are looking for vulnerabilities in modern-day software. The complexity of allocators like the one used by GLIBC incur a broad attack surface. Attackers can exploit an application by misusing the algorithms and metadata used by the memory allocator itself due to various flaws in the implementation. As a result, there are many exploitation techniques related to the heap. However, these vulnerabilities and exploit techniques are more difficult to understand as they can be dependent on the intricate details of how the allocators are implemented. While stack-based attacks have received significant attention and have various mitigations developed, heap-based attacks remain a persistent threat.
This paper provides an analysis of the dynamic memory allocation mechanism used in GLIBC, one of the most widely used C library implementations. We describe the key implementation details of the memory allocator, including the use of segregated free lists, in-band metadata within heap chunks and support for multithreading using arenas. We then demonstrate how vulnerabilities can occur in the heap due to incorrect usage of the memory allocation facilities provided, such as use-after-free, invalid free, heap overflow, and others. To illustrate the severity of these vulnerabilities, we provide an overview of two heap exploit techniques: tcache poisoning and fast bin dup. This paper aims to help developers who want to understand how dynamic memory allocation works under the hood and how to avoid common pitfalls that can lead to serious security vulnerabilities.
Keywords: Heap exploitation; Memory corruption; Low-level vulnerabilities
.