This 5 day course will give an in depth examination of a variety of current heap allocators in the context of exploit development, including glibc’s ptmalloc2, Chrome’s PartitionAlloc, JEMalloc, TCMalloc, embedded allocators such as avr-libc, newlib, or dietlibc, and those used in Linux Docker images such musl and uClibc. The lectures and labs will look at numerous ways to misuse each of these allocators in the latest versions of each.
Course Objectives
To be able to exploit heap corruption in C programs on Linux using the latest versions of a variety of allocators.
Duration and Schedule
5 Days, 9am – 5pm
Training Outcomes
- Demonstrate understanding of heap data structures
- Demonstrate debugging heap data structures
- Demonstrate attacks against the heap
Who Should Attend?
- Developers
- IT Professionals
- Embedded Developers
- OS Developers
- Penetration Testers
- Software Security Auditors/Analysts
- Vulnerability Researchers
- Software Exploitation Developers
- and anyone interested
About the Trainer
Dr Silvio Cesare is the Managing Director at InfoSect. He has worked in technical roles and been involved in computer security for over 20 years. This period includes time in Silicon Valley in the USA, France, and Australia. He has worked commercially in both defensive and offensive roles within engineering. He has reported hundreds of software bugs and vulnerabilities in Operating Systems kernels. He was previously the Director for Education and Training at UNSW Canberra Cyber, ensuring quality content and delivery. In his early career, he was the scanner architect and a C developer at Qualys. He is also the co-founder of BSides Canberra – Australia’s largest cyber security conference. He has a Ph.D. from Deakin University and has published within industry and academia, is a 4-time Black Hat speaker, gone through academic research commercialisation, and authored a book (Software Similarity and Classification, published by Springer).
What to Bring to Face-to-Face Training?
- All materials are provided by InfoSect
What Will be Provided in Face-to-Face Training?
- Laptops for class use
- Coil bound lecture materials
- Catering provided.
- Access to VMs with laboratories
- InfoSect Swag
What will be Provided in Live, Interactive, Online Training?
- Lecture notes in PDF
- Lab guides in PDF
- Access to VMs with laboratories
- InfoSect Swag (for Australian shipping only)
Participant Skillset
Students taking Linux Heap Exploitation should have an intermediate C and Python Development background. The course is heavily focused around coding basic Python scripts. Students should have hands on experience in:
- C Coding Experience
- Python Coding Experience
- Linux
Class Syllabus
Day 1
Lectures
- Introduction to the Training
- Heap Misuse
- Control Flow Hijacking
- Ptmalloc2 Heap Data Structures
- Debugging
- TCache Poisoning
Labs
- Arbitrary Write to Code Execution
- TCache Poisoning
Day 2
Lectures
- TCache Double Free
- Fast Bin Double Free
- Overlapping Chunks
- Calloc I
- Calloc II
- House of Force
Labs
- TCache Double Free
- Fast Bin Double Free
- Overlapping Chunks
- Calloc I
- Calloc II
- House of Force
Day 3
Lectures
- Double Free Mitigation Bypass
- TCache House of Spirit
- Fast Bin Poisoning I
- Fast Bin Poisoning II
- Unsorted Bin Libc Base Leak
Labs
- Double Free Mitigation Bypass
- TCache House of Spirit
- Fast Bin Poisoning I
- Fast Bin Poisoning II
- Unsorted Bin Libc Base Leak
Day 4
Lectures
- TCMalloc
- Freelist Poisoning
- Double Frees
- Overlapping Chunks
- JEMalloc
- Overlapping Chunks
- PartitionAlloc
- Freelist Poisoning
- Double Frees
- Overlapping Chunks
Labs
- Labs on all the above allocators
Day 5
Lectures
- uClibc
- Unlink
- newlib
- Freelist Poisoning
- House of Spirit
- dietlibc
- Freelist Poisoning
- House of Spirit
- musl
- Freelist Poisoning
- avr-libc
- Freelist Poisoning
- House of Spirit
- Overlapping Chunks
Labs
- Labs on all the above allocators