Hi everybody. I'm I really didn't want to start back from spring break. You know, remotely. This sickness is like really, I was in Tucson, Arizona up until late Wednesday night. While I was gone. My wife lost her voice to some sort of sickness. And my mom who's living with us, her her eyes got all goopy or whatever. And she went to the Dr. and the Dr. gave her some equipment and stuff or whatever and also said you got to COVID. I was home for one day and I lost my voice 24 h later on Friday. And then my I started grouping up yesterday. So it's like alright, so clearly it's like going around my little house. I lost my voice and my eyes all grouped up. My eyes are a little bit better now, whatever. But, you know, it's like yeah, that seems contagious enough. I should not be around humans who haven't already infected. So sorry, sucks is what it is. Hopefully you're grateful. I don't know. But the reason I really didn't want to like skip today is that I'm very excited to hear where everybody's at after a spring break of like attempting to speed runs and stuff. So is there anybody brave enough to kinda talk to me about the speed run experience? Yeah. Go ahead Michael. Or maybe that was an accident. Oh, yeah. I'm not supposed to be unmuted. I apologize. No. False. So I know you guys were trying and over spring break, some folks where my DMs everybody should be in my DMs if you're struggling in any part of it. Right. But I was really hoping to spring break for the speeders and stuff. So maybe we could say, alright, but also, I've always hated having assignments to over spring break because we need the break. Then you hang out with your family and stuff or whatever. So maybe, you know, maybe you could hear the opposite way like, yep, I hung out with her family, didn't think at all about school the whole time or whatever, something like that. But it's an important time for me to hear where you're at. Because I believe that there's two ways to approach any problem. Problem. One is you tweak your mental model. The other is you just debug the crab. And if your mental model is right, but you haven't practiced debugging, then you're going to feel frustrated all the time. Because all you can do is adapt your mental model. And if your mental model is right, but your implementation is wrong, then you're just going to torture yourself because you're going to start thinking that wrong things or right. But what you have to do is just test whether or not your mental model is right by seeing what happens rather than being mean to yourself. And that's easy to do that or whatever. So hopefully, the experience of sitting down to solve the problems or whatever things like that. Somebody said they were done, done. So that's cool. Some folks are back at problem 2.3 and things like that. If you're stuck a challenge too, by the way, make sure you're not involving a dot out. If the Without PIE is the one that you can actually do. Um, so yeah. Anybody willing to tell me their story? Nick said in the chat, so that's good. Help start filling in some of the gaps and holes and things. Zack. That's the resoundingly no. I don't want to tell you my story. I want to hear the stories. I mean, I can go. But I was one of those people in your DMs, so you already know. That's fair. That's fair. For me. I spend a lot of time, I guess, catching up over spring break because doing this speed runs, it's like okay, that's fine. But a lot of times with the speed runs, I usually get snagged on something and then take an extra four days to do it. And then I get really behind on the speed runs. And that's kind of happening with the challenges too. But I think I made decent progress over break considering the time I spent on it compared to like the other things I had to do during break. Yeah. Your last message was like, Oh, I made a breakthrough. So that was good. Yeah, my last message one in the morning, right? Right. Right. Yeah. Yeah. That's okay. I see them all. Yeah. So I think like one of those things is is actually it's just like a life lesson. Like you can only ever control what you can control. And so when you sit down to do a problem, if if you really know that nothing that you know how to control is going to fix it, then ask, right? So like, if you're thinking doesn't yet have a mental model clear enough how to progress, then you have to, like that's a good time to get a high ROI injection of advice. Versus if you have something in your mental model that you can control and try, great, you can still do that hardcore mode. But again, this class is not structured like normal things, so I don't mind you getting help or whatever from the Internet from wherever. So long as you feel like you can do it. And if you feel discouraged like you can't do it, then that's a problem and address that quick because that can still ball out of control. And then I can get an email from you in the last week of class saying, I never caught up and this is all sucky and I hate the whole experience, everything else like that. It's like, Dude, please talk sooner, right. Like we could get help that so okay. Well, thanks played for being brave on there. Any particular places that have all that that you most where most people are getting stuck. Like I know the GOT problem had two or three people kinda stuck at the GOT problem. Um, and it says like, oh, here's the link in my lecture, that's whatever Tommy did you fight through that GOT problem with the lecture notes or still stuck there. Alright, talking about challenge 78. I think the one, the one where you get like a weird offset and you get LD and percent d Yeah, that you scan as a Sanjay helped me out with that. Okay. It's kind of confusing because the example on Sunshine CTF kinda had it backwards. Shirt is like it was like off first and then when second or something like that and then write your problem had the other way around. Yeah. I mean, the problems were designed from the sun shines where you can't use the exact same write-up solution. Cfd, you look at it and think a little bit on each one just what they're almost the same with one tweak. Something like sir. Okay. Cool. That I was going to say when you were just talking before about the like having a mental model, even though there's sunshine problems aren't exact, that really helped me develop a model of looking at the problem and actually knowing what direction I should be heading in. Same here. Yeah. Yeah. Good. Somebody was sounded like an accidental unmute, maybe there. Okay. Yeah. I think also when it comes to one of those sunshine ones or something like that. One of those tricks I've done in my head, which is probably why I'm a professor now. Every time I'm learning something, even, even back to ages ago, I would learn it better by pretending to teach it to somebody. So like, I, like, I always imagine teaching this concept to someone else. What I have to say to help them get it. So when it comes to the sunshine CTF, so I'm going to do it right. I think what do I need to know? What I need to say that somebody else sees this little. Alright. So I say all that and this kinda early, I see how people are doing on the stuff. Largely because I'm really scared about now the second half of the class. And I'm scared only from the perspective of like my job is to maximally improve the trajectories of your careers and your lives. And historically. There's something at this stage where I can lose you and I really don't want to this time. And so I feel like we need lots of back-and-forth so I can make sure that like I'm saying the right things in the right way or whatever, so that I don't lose you as we move into this heap stuff. And to some extent, it, if you have felt behind, I actually think some of the heap things really are so fresh and so new that you could start fresh here and it might help you when you go back later. Like like I do sequential, but it's not directly sequential. So I do think that like it's not so bad. But, but it's gonna take us more than one class for each exploit. Typically, that's gonna be really annoying. I actually think that's the biggest culprit is that we've got 50 min. And 50 min is not enough time to write a full good heap exploit. Which means that we've got to remember where we are at the end of a Monday and pick back up on a Wednesday, that kind of thing. And that's like, you know, in today's day and age, you kidding me. And so like when a TV show does that where they've got like a two-part episode or something like that. You get to last time on whatever this show is, our main heroes got into hot water. So I feel like we almost need an intentional effort to be like, Hey, this is gonna take us more than one lecture. That's okay. Because if I get nervous about the memory from lecture one to lecture two. So if I try to speed it up, then people don't want to ask questions because it'll slow it down or whatever. I think generally, which is always go slower. Even though it's not my instinct in terms of pacing thing or whatever. But again, that needs to be a back-and-forth to get the timing right. So so join me and and harass me a bunch as I do this so that I don't screw up. Because otherwise I'm just talking to myself and you guys are watching videos later hoping to catch up or whatever and things like that. And again, you know, we won't know for months if that worked. Right. Like it's it's not fast enough feedback cycle. Okay. With me on that. Yeah. All right, cool. Yes. Alright, so here's today's goal. Pretty simple goal. In fact, like I thought about writing a, you know, a pace car problem that is using this and having a flag coming out of it and things like that. And I could make something really clever to do that. But, but really what I want is that that you've got an environment where you can inspect the heap, going to show you what that means. And I also think that everybody has different environments are slightly different. And so like, If help each other out in the Discord, be like, Hey, I'm trying to install this in this environment. And this helped me or whatever. So share your stories if you make a success, share your struggles if you stumble. But the goal is to basically get a screenshot out. And so we should be just get the mechanics up and running. Because I want you to be able to play. You have to be able to play with it and see that it's doing what you think it should be doing. A lot of my spring break advice too. It's like, hey, just debug like crazy. Okay, remember classmates. Alright, here we go. So step one. What is the heap? Why does it exist? What, you know? And like everything we've done in this class. The first learn the healthy version so that we can then exploit it and learn the hacker version. So just a reminder. This is my three-part framework in a different way. Anytime you do an exploit, you had three things you have to do. You have to get around address randomization. You have to create a right what, where. Then you have to take control of the instruction pointer? Yes, 16 PCPs and total for project one, my project numberings all off. So let's project one-ninth three. Oh, wait, no, no, no, I'm sorry. It was 16 speed runs for project 116 PCPs in total for project three? Yeah. Yeah. Yeah. No, no nulls question is my substitutions. So doing PCPs to replace a heap project or whatever. So it's basically the fast path out of the class, like mastering the heap stuff isn't necessary to passing the class per se. But it is necessary for earning the title secure software design. Yeah. So PCCs, I think it's 16 to replace project. And I guess I'm at 20 now, so yeah. Alright. We've now officially become on mandatory. That probably is dumb. Okay? Alright, What are my three goals? Randomize, get around, address randomization. Get it right, What, where they get bad data to some bad place, takeover the instruction pointer. I can do those three things. Reasonable target. And I have a strategy, then I can take over computer. Okay, so let's talk about a healthy heap. What is it? I think the words dynamic memory ought to do the job. That is to say, everything we've done so far. The compiler knows what the user needs, what the program needs at compile time. So we make memory and we make room in the stack. We have places for our local variables. We know everything is going to live. And I know exactly how much memory you need before I build the program. I think I'm recording. Is recording. Okay. So the thing I think of when it comes to like why does the heap exist? I think of that old school. Like there was an old school arcade game. I think it's 1942. Yeah. This guy. Classic. Fine. Okay. This kind of game. I don't know if you guys grow up in a world of video game taxonomies. So this kind of a game where you're overhead view, you're playing, you're shooting bullets. And you can upgrade your bullets. And there's going to be like upgrades. So there has been 1 million different like rip offs of this old arcade game over the years. Yeah, you can get bullets that looked like that and bullets look like that or whatever. What are the names that people use for this kind of game? It's not quite bullet hell, but bullet. Bullet l also comes to my mind. I'll accept that oxygen. So maybe a top scroller, maybe that's the word I'm looking for. But anyhow, so think of a bullet hell game and mumps that I don't know. Maybe you just tricked me into saying a bad word out loud. I don't have my synopsis. Okay. So if you think of a bullet hell game, you've got 1,000 bullets on the screen. Each bullet has a data structure of some kind. Maybe it's especially bullets can evolve and you've got some that do heat, path tracing and squiggles and stuff like that or whatever. So every one of those bullets takes some amount of memory and you got to render it. And the memory has got a struct that says, this is my current direction, this is my leg, which sprite I'm going to draw with whatever things like that. Then the bullet goes off screen and then you fire more bullet fluid. So 0 schmutz. Devops. Yeah. Okay. Got it. Good. I'm glad it's not profane. So shooter mumps, I'll buy it. So in one of those games we get 1,000 bullets sunscreen and 1,000 bullets go off screen, whatever. How do you do that with just the stack, right? Like if you have justice stack, you might make room. If you think of old NES games. In old NES games, you ever play like Mega Man, you know, 12 or three years, something like that. You get an old-fashioned Mega Man NES game. The bullets blink. Even the dude's face will blink. Because that's, that's because they could only draw eight sprites at a time on the screen in the same horizontal row or whatever. And so they can get more sprites on the screen by having them blink at a time. They're like sharing sprite time. And I can still know where they are, but I can pretend to have more than eight. That's because it didn't have dynamic memory, right? I've got this chunk in my stack. And I'm just going to have like, these are the eight sprites I'm going to draw. And they would just swap the last one out or swap some of them out or whatever. Um, you know, they take some other place and load it into where they've got memory for their sprints. So what's dynamic memory? Dynamic memory is saying, Hey, I think of anything you do on the browser. Here's a website. I don't know how big the website is when I compiled the browser program. So I'm going to need room for this much of my website or I'm reading my emails. I don't know how big each email as I'm reading messages, I don't know how big each messages. So I'm gonna make room for this much memory. And then I'm gonna release it and then make room for this much memory. I'm going to release it. That's like everything that we use. It's interesting. Needs dynamic memory with me on that. Maybe not. Yeah. Yeah. Okay. So so basically things that are on the stack there like limited to just what you can predict a compile time or at programming time. But as soon as you let the user control how big something is, then you need something more dynamic. Okay? So that's what the heap is all about, is dynamic memory. So now if you think about my bullet hell, one of the other things that's true. Is I'm gonna make room for thousand of your little bullets and they're all gonna be smart bullets. They all have their own little sprite and they all have their own like heat-seeking missile target or whatever that they are currently tracking onscreen. And I need to render each of them every I don't know. Maybe it's 20. I'm sorry. I should double-check. My thing is the sixth to visit 20. I thought I dropped it. Just set up niceness. Maybe some professors get nice students learn less, but yeah. Okay, I've got to quantitative drop budgets. Okay, I might have lied to know what maybe I've got it written somewhere else that it is. Oh, did I drop it to 16 and not change it on the website? Alright. Well, I'll tell you what all my like philosophical stuff is. Hey, don't let, don't let a transactional notion of grades rob you of your humanity or me of my humanity. That is to say, my job is that you want to master the skill. And these are just exercises the rest of the school. But if it's 20, If it's 16, that's fine. I'm not going to overly sweating. The goal is that you a better life as a result of the exercise. And so but I think the reason it's mattering today is because like, Oh, I have an off ramp if I don't want to think about this that's designed so you don't feel like I'm torturing you, but I want you to try to take the direct ride with me. So if you're asking me 16 verses 20, because you want to know whether or not you have to pay attention to what I'm saying right now. Shame on you. Pay attention. But if there's nerves or whatever because you got 1 million other classes, it's final work with it. But at the very least, at least 15 min. Let's try best. Okay? So imagine there's like 1,000 bullets on screen. And they all leave screen. And I launched 1,000 more bullets. Unless I'm recycling my memory, I'm going to need more and more space for every new bullets. So imagine that every time I release a bullet, it's gone forever. And I just asked for more space for more bullets. The next thousand. What's going to happen to that program as you run it continuously? While the amount of RAM on your computer that it needs is just going to crank up, boom, boom, boom, boom, boom. And you'll see eventually your computer's just going to start overheating like crazy. And the amount of RAM did that program needs is gonna be so high that it bricks that it crashes your computer. You're going to start going into like swap memory and things like that. The whole thing is going to slow down, etc. So if you want to make sure that your memory footprint stays within some sort of boundaries, then you need to make room for thousand bullets and then clear that room and allow 1,000 more to take the places that those previous bullets. That is, I need dynamic memory, but I also need to recycle that memory. And I have to avoid fragmenting that membrane. So if I've got some bullets need this much space and symbol exceed half that. And I've got to half bullets kinda scattered all over the place and the ones that take this much space or like try to fit their way in between. I need to be able to like take a couple of different like half size bullets and merge them all together and make room for bigger bullet or whatever that needs more memory. So it makes sense. The abstract level. All right, So our job is to make room for bullets and free the memory of the bullets so that they can be reused again and recycle them. And the recycling is where all of our exploits are going to come from. You guys are gonna get trained to think that this can't be done securely or whatever. Or you're gonna go like looking for rust and things like that. Yeah, D fragmentation, Let's do is actually fragmented memory. Let's see if there is a nice diagram on Google. Images. Memory fragmentation. Yeah, I used to. I used to like we set the defrag our computers a lot when I was a kid. So this is the combination of these is okay. But you would sit and watch your computer, try to D fragments it's operating system because there's only so much memory. And so this is not a bad little diagram here. I remember those days. Yeah, my old school folks. Back when you had the four solid state or derive? Exactly. Yeah, An operating systems have gotten pretty good at doing this. It's still doing the same thing, but it's doing it a little bit more in time and a little bit more out of your notice. So operating systems just like do this stuff all the time, just waits for opportune moments. So take a look at this chunk of memory here. Purple is available and, you know, I don't know what color that is. Navy slate is unavailable. Unavailable memory is currently in use. The other memory, memory is like ready to go. If I need something that is gonna be like 2 mb or whatever, to read a giant email or PDF or something or whatever. It would be nice if I could take these chunks and put them next to each other and know, and for me to know that I've got this much memory available at that space. So like fragmentation is about making sure that I don't have my unused chunks can be consolidated into larger unused chunks. And I minimize the number of distinct places where memory is like not being used because I don't, you know, especially from him like an IoT device or something like that. I don't know how much space I've got available in my program. A lot of times I might have a limited amount of space. And so if I need to do lots of stuff and a limited amount of space than this kind of fragmentation really like gets in the way of me being able to use all of the purple. Does that make sense? Okay. Yeah. You already said Gotcha. Cool. Yeah. So picture our frontal lobes are awesome and pictures. And so these are all like examples of like old school fragmented memory diagrams that I grew up with. Like, Okay, this looks like it's out of a loop or something. Which is interesting. So getting all the black stuff together will allow us to get a lot more efficiency out of this. It's pretty algorithmic. It's pretty algorithmic to do that. Well. Alright, so we're talking about like healthy dynamic memory. We've got a notion of what's dynamic. How do I recycle my stuff without getting all fragmented? Alright, here's the other cool part. How many of you guys have had a class with Debbie Arrington or data structures or something like that? Yeah. Sanjay in or walk it back from VIP the other day talking about heap exploits. And I was saying like, hey, you know, it just makes a singly linked list. And you do all these things or whatever. I taught datasets here back before I joined cyber. And when teaching LinkedLists, it just seems like a dumb academic thing that will ever matter to you. Like nobody actually codes with linked lists and they're real languages is something bad or whatever. But here, it's everything like being experts at LinkedLists. It makes you such a good hacker. Like this. Interestingly, that's like one of the more academic data structures or whatever. It's everything to this stuff. So I'm getting really good at the foundation of what a linked list. And I'm not going to like overly exercise that, but, but linked lists really are how we're going to do this recycling and defragmentation and all that, stuff like that. Okay. Alright, enough talk. Let's, let's play. So here's what I'm gonna do. Just like I'm saying with the other places. I need to be able to debug and I want to see that my payloads are doing what I want to thank and whatever and things like that. So the main goal here is we're going to malloc and free. Alright, So malloc is the command. Malloc. Malloc and calloc are all like buddies. And this is just memory allocated. So when I run the command malloc with some number of bytes, it's going to make for me an address where I am guaranteed to have enough room for 16 bytes of data. So I can do that with an arbitrary variable amount of data here. I could ask the user, or I can look at what the user wants to do or whatever. And I can give it memory. I can track my own memory and say like, Hey, this user is about to run out of memory. So I'm going to allocate more memory for them. And things like that. All the languages do this. See, lets you do it for yourself, which is why doing this in C is helpful. Because if you can do these exploits in Python and stuff or whatever. But all of that stuff is like one more layer of abstraction away from you, controlling things. And so all of these exploits are gonna be Chrome exploits browser exploits, Python exploits whatever. But that's because each of those does this just one layer under the hood. Um, okay, so I'm going to ask for 16 bytes of data, and I'm gonna get an address for this 16 bytes live, and I'm gonna do stuff to that address. Alright, so then what I'm free, when I'm done with the data, I can free that address and it's going to recycle it so they can gain access to it later. This is like the Samba in OneNote or whatever like that. Sometimes and sometimes I don't tend to be more like in two notes where I've got, I've got two things I can do, malloc and free. Maybe I can control the amount of space that I know. That's it. Those are the two things I can do and all heap exploits. And from that we need to generate memory leaks. We need to generate, right, what wears and we need to take control of the instruction pointer. So we're gonna do all of those things just using malloc and free and just like the rhythms of it. So it'd be in a drum or something like that. I just have my stare at my symbols or whatever. And that's enough for me to make a cool asked me. Okay. So we need to do is just like CML ox and freeze and just kinda see what the thing does and unhealthy. So I'm gonna run this program and we're going to take a look at it. Now. What I'm asking of you is pound bag. And that's how you read this like owned bag. Alright, fine. Which is really potent debug. And it's kind of a new tool for us that's really good at heap stuff. As they say, they make debugging with GDB less cool or subclass, sorry. Here's your install instructions. Pretty, pretty straightforward. So let me show you what it looks like when it's installed. And basically your your pace car problem is to mimic what I'm doing here on your favorite poem rig. Alright, it's going to take this program. Now, you'll note that I'm just doing some random gets in three different places here. That's just so the program will pause so I can stop and inspect the heat. I'll show you what kind of a heap CTF problem looks like next. Alright, wouldn't buy me. This is good. Bone rig. Actually there, There's the program now, basics, I can say GCC. I'll just confirm that cat basics. Alright, so here's the program. I'll see GCC basics. Alright, warns me that gets us insecure. Even though I say yes. Alright, so here's my program running. Alright? Alright, alright, okay. But now let's do it with pound bag, which is a set of cool tools inside of a really old school, good GNU debugger, GDB. Debugger is, is almost like, you know, it's like Python or something, is it? It's a framework and you can put whatever you want. And so GDB is really, really old school. But because it's so open, lots of people put cool things in it. So you'll see here that says ponce de bag. Other versions that are Jeff, you can connect with Aida and things like that, etc. So lots of cool things you can do with GDB. And I like R2 for my debugging, my live debugging. But I like GDB with pound bag for running the heat. Okay, so I did it just like I would do with R2, let's say GDB, a dot out. Now, all I need to do is type run. It runs the program. I can see that it's doing stuff. And at the place where I'm paused, it has paused. So basically your goal for all the installers just get to see that red pound bag like that. Right now I'm going to hit Control C. Control Z is going to break out of me interactively. And let me do my R2 thing where I'm going to command prompt to these spikes that control C break. Now you'll see that it's showing me all sorts of stuff here. What's it's showing me? It's showing me my registers. It's showing me the instructions near the current instruction pointer. This is a telescoped stack. So here's where the stack pointer is. Here, sort of like memory offsets and the stack for the print f stuff. And here's what's on the stack. And these are the values at each of those eight byte kind of intervals. Here's a backtrace of what was sort of in the stack frames to get me here. Here's what was called to get me to this place. Okay. So now what I'm here for is the command. This is the heap. What am I looking at? Well, there's a lot of stuff in here. A lot of stuff. This is the beginning of the heap segment. How does the heap really work? Just like the stack or whatever. You know, the operating system gives me a segment of memory, which is like a multiple of a page length. So I can see here's the beginning of my heap segment. And it ends in 000, like any of the interests in segments two. And this is kind of what memory looks like in the heap. And you'll notice that it's kind of a cool Tetris shape every time, where instead of starting at the zeros, my colors change at the eighths. So I kinda go from here to here, and I go from here to here, from here to here. And I go from here to here. So you'll see that it's changing colors. In each of those is a chunk. And then at the very end is this wacky little thing with the last eight bytes that they call the top chunk. Now you'll note this is not the end of the heap, but this plus, this is the end of the heap. Let's look like nine plus 716. And then b plus four plus one is 16. So if I add this number to this number, I'm gonna get 001. And that's because in the heap we always ignore the last little nibble so that one is actually nothing to do with the size here. So what is this? This is the number of bytes available in my segment before I need more memory. And it didn't the hexdump format here where I've got the address where I'm seeing something. But then this visualizer is kind of giving me eight bytes as an address, eight bytes as an address. So it's kind of undoing a little endianness or whatever, showing that more like, it's like a human version of these eight bytes. And then this is anything printable here if I need to see it. But what is interesting is that we consider the heap ending at this top chunk, which says how many bytes are left and everything beyond this, I call the wilderness or the frontier. Like here's all the stuff that I don't know what's on the other side of that wall. Here's all of civilization is like walked right up to that boundary of the frontier. So we humans, we coders, we've asked for memory in various ways and it's given us memory. So let's inspect the code and match the code episode. So these are the four parts of my code asked for. Then a bunch of purple stuff that may code didn't ask for it. So let's take a look at what these four are. So what did I do? I said malloc 16, malloc 32, malloc 48 mile off 64. Wouldn't have I asked the program for talking. I asked for enough room for 16 bytes, ask for enough room for 32 bytes. I asked for enough room for 48 bytes, aspirin of room for 64 bytes. Let's see what I actually got. I asked for 16 bytes or 16 bytes. It gave me this. Now this is 1234 chunks of eight bytes. So it actually gave me kind of 32 bytes. And what's interesting is that this is metadata and this is the address that it would actually returned to me. And so what I actually got was 24 bytes. I asked for 16, uh, gave me 24. That's a little bit wacky. But I'll show you again. Now asked for 32. What did it give me? Well, it gave me 48 and it actually gave me 40 bytes. 12345 times eight is 40. So give me the user bytes that are available to me error here. So it gave me more than I asked for. And it did that because it wants eight price of metadata about the size of my dynamic memory, and it leaks everything to be multiples of 16. So I asked for multiple of 16, it added eight, and so it gave me eight extra bytes, which I don t know about. As far as I'm concerned. These are the 32 bytes I can write two as the coder. There's actually eight more than I can write two without causing any trouble. And these bytes here are before the address that will give them. I haven't actually looked at the addresses. We can look at those addresses. In fact, let's rewrite it to look at those addresses and confirm the addresses are all going to end in zero. But the metadata, is it like at these aids? Okay. Okay. Control D, I guess got me out of it. Print f. And that's okay. I'm just going to look at my four addresses and you'll see here I get DO, DO 0 for 0. And the gap from here to here Is 32 byte. That's, that's 16.16. So even though I asked for 16, The next one is 32 bytes later. And here I asked for 32 and I go up to OEO, F-O-O. So give me 48 bytes from here to the next address. Let's inspect that. We just run. You'll see the six b 0070740 hit Control C, type this. Scroll around a little bit and I get six. B0 is this address, that's the one that actually gets returned. This is the one that actually gets returned. This is the one that actually gets returned. This is the one that actually gets returned. Okay. So what exactly am I showing you here? One, I'm showing you that the heap is Tetris, right? The heap always makes Tetris shapes. So everything is kind of like Harry Potter lightnings. Eight bytes come just before the address I give back to the user. And what are in these eight bytes? Well, two things. One, this one here, it's not yours, that one belongs to the previous chunk, believe it or not. So really I read this as 20. And what is the 20 is 32. What is the 32? That's how big the chunk is. That's basically I've got eight bytes, eight bytes, eight bytes, eight bytes. So this 20 is really saying 32, and it's really saying this chunk has 32 bytes in it, including eight bytes of metadata and 24 bytes of user data. Are you with me on that? So this is metadata that says how big the chunk that I've made for this user is. With me on that interpretation. That's a no. Okay. So the would we always subtract one from whatever is in our metadata number? Yeah, the metadata number is how big it is in physical space. So here this 20 oh, you mean this one here? Yeah. Like is that like is that like a rule? Where is that always going to be the case where we would take off one and then I have a diagram for you. I have a diagram. The diagram is here in the heap Bible. And this is, I have this setup profit engine. This is illegal of me to share. 20 is 32 because it's hex, hex 22 times six to the one is these bottom three bits are used as super metadata. And so basically, here's the idea. I know by convention that every chunk of memory is going to be a multiple of 16, which means that in hex, the last part will always be zero. So the last nibble is always zero. Which means the glass four bits are zeros, zeros, zeros, zero. So here's what the beautiful people who wrote the heap did. They reserve those last three bits to store some extra metadata that isn't the size of the chunk. So they know that those last four bits should always be zero by convention. And so they use those last three, not for the size, but to store a little bit of binary data. That is, the chunk before me in use or not in use. Is the chunk here. Memory map that is some chunks solars need to make room for a whole planet. And is this in the main arena or not? These two are like super-advanced, so we're not going to mess with those yet for awhile. Which means that the last one is either a zero or a one. We're going to mess with that a lot. What is that saying? It's saying is the trunk before me still used by a user or has it been recycled? So your question was, can I always ignore, subtract the one? And I would phrase it, no, you can always ignore the one. This one is basically saying this one is still in use. And if it were no longer in use, it should change to a zero. Now, I'm gonna put an asterisk on that because we're about to free it. And when we free it, we're going to see that that one is still there as a one because it's more complex than that. Of course. But sadly, but in the correct model, as soon as I have freed a large chunk just before me, then this one will turn into a zero. And that says to the compiler or to the program to G lip see that this chunk is now available to be redistributed as a new bullet. That's what that actually means. And that's because they are not worried about the bit-level. They know everything is multiples of 16. So they're just going to reserve those bits for other metadata and the other metadata in this case, the one means the previous chunk is in use. Okay? That's that at time, which is fine. So your goal is basically to be able to make this screenshot in your environment of choice, which is to just run this thing, Control C and visualize the heap here. We'll will go into the rest next time, because again, this stuff is going to just take a little while. So ask lots and lots of questions. And let's try to almost have like a last time in secure software design. At the beginning of each class. Yeah. What's up, Drew. Or do you mean one-on-one? Okay. All right. Yeah.

Intro to the Heap (pwndbg vis too)

From Andrew Novocin April 03, 2023

66 plays 0 comments You unliked the media.

Zoom Recording ID: 4159319948 UUID: IRWB4ynGSSSKSv4r9G95AQ== Meeting Time: 2023-04-03 02:10:14pmGMT

Tags: pwnheap

Department Name: ECE
Department Division: Engineering
Date Established: April 03, 2023
Appears In: x86 and Secure Software Design 2023

Comments

Add a comment