Andy Novocin: All right. So my strategy is that you've got one thing that you know really well. and that we go through all the crazy flow chart and all the complexity Andy Novocin: by basically having this. Well, why doesn't my one thing that I want to do work Andy Novocin: in this case. So I want to say like, here's the one thing I want to do. It's it's sort of evergreen like it's gonna be in G Lipsy forever, whatever. If there's a you sector free, you can part with it. Andy Novocin: And so the question is. Andy Novocin: I, Andy Novocin: What do we do? As the context change? So Friday we did a little bit of that right where it's like. Okay, in my playground everything is wide open, you know. And so what if I take away your ability to set the size, you know. All right. Cool. Well, that struggles with the G lip See, leak, and how do we do that? We fake the chunk and faking a chunk that's useful. That's a useful idea. Andy Novocin: Okay, so can you, just for my own edification, because we're about to like. Andy Novocin: move into a whole new chapter here kind of, but I want it to be rooted in t cash poison. Can somebody Andy Novocin: explain to me what what is the t cash poison that we've been doing, and how does it work? Andy Novocin: What's the main exploit? What's the flaw that the coder made that allowed all of our exploits from last few weeks happen. Andy Novocin: Use after free, All right, good. Andy Novocin: And and I saw you back there, I said. You know you set for free so good, and when we have use after free. What is it that we do to Andy Novocin: exploit that in the t cash poisoning process Andy Novocin: my hand motion isn't isn't triggering? That sounds like Andy Novocin: My, but the job is these are always the jobs I need to do. These are my forever goals, right? I always tend to get around address randomization. I always need to write what we're. I always need to control the instruction pointer. How do we get around? Address randomization so far in our baseline heap exploits Andy Novocin: Yeah, memory it what it's. It's elaborate Andy Novocin: memory addressly. How did we see the thing in memory, or what like? How did we get an address in memory that i'm allowed to read Andy Novocin: the bins. Andy Novocin: What's the process to read something? I shouldn't read Andy Novocin: like the manipulating the links. I actually to read the addresses. I don't need to manipulate anything, really. I just throw them into a bin, and I know the link to this is going to have addresses. Andy Novocin: And then what do I do after that Andy Novocin: I just no, I just look at them. You know I just view it. That's already a security flaw right? The fact that I can like view it after it's been freed is a use after free viewing, and that's all right. That's our access to memory. Andy Novocin: What was the twist that happened after 2.3, 2, yeah, absolutely. Andy Novocin: They exhort some crap in there right? And what's the crap? It's the it's the heaps. It's the trunks address itself shifted down by 12. So so they've got this extra little key that they put in there. That makes it so that my, you know, leaks all look a little funky. Andy Novocin: Okay? And oh, they're telling me in Zoom. Andy Novocin: unsorted. Been big. Ch: okay, okay. So why is he talking about the unsorted in? Yeah. Andy Novocin: that gives me a G Lipsy Link week all the all the little T cash. Andy Novocin: you know, Link the simply linked lists. They're pointing at each other, and they live in the heap, and that's fine. That's good. It's valuable, but it's not that valuable. It's not Walmart that's like breaking in the Andy Novocin: 7 11, or something, you know. But I want to go to Walmart. Yeah. They They put a sign that says how much money they like me, and we don't have that much at 7. 11. Andy Novocin: Yes, and that's and that's essentially equivalent to me, editing the heap later. All right. So how do I get my right? What we're. So now, you guys, now you guys are rightish where you're like. I I manipulate the bins. Andy Novocin: I I Andy Novocin: How is I manipulating the bins? I know 3 min Andy Novocin: malloc malloc, mylock free free. Andy Novocin: so that Malloc malloc makes 3 chunks free free, puts one in a bin, one in a bid. Andy Novocin: What made the second one interesting to me. Andy Novocin: It's got an address in it that I can read. Andy Novocin: and if I can use after free, if I can edit after free. Then I can edit that address. Andy Novocin: And now I've taken over the back half of the linked list. Andy Novocin: If I've taken over the back half of the link list. Then Malloc is going to Andy Novocin: return to me Andy Novocin: an address I provided I provided an address, and I can get Malloc to return it to me, and what that means is that it's saying, hey, Dude, you can right here all you want. And now it's telling me to write wherever I want. Andy Novocin: So that's our like T. Cache. Sorry if I just want to make sure that you know that Andy Novocin: I You know Andy Novocin: I feel 60, sure after our interaction here it's like, okay, it's not. It's not like it's not like 2 plus 2, you know it's not that level of knowing it, but close enough. So you should probably all go. Try to do Andy Novocin: just a baseline t cash poisoning where you know you take over what was our method of taking over so far? Andy Novocin: How do I take over the instruction point? If I don't have a wing function? Do you remember? Andy Novocin: What did I always do to my third mail or that last little Andy Novocin: buffer. Me like what I right there. Andy Novocin: Oh, i'm feeling nervous now. Andy Novocin: We can go back and do it again. It's all right. Andy Novocin: The plan is that you've got this baseline, but it's like a baseline a little bit weak Andy Novocin: free. Hook. Yeah, yeah, there you go. Sanjay gets it. It was the free hook. So there's these things the free hook in the malloc, Cook and G. Lipsy. If you override that with an address and anytime malloc, it's, called it's going to run your function instead of Malloc whenever free gets called it's going to guide your function instead of free. Andy Novocin: So what would we do? We'd write, then S. H. Into one of the chunks, and then we'd replace free with system and our system of then Sh! That was kind of our like methodology so far. Andy Novocin: Okay. And when does that stop being valid which G. Lipsy to take? Took away my free hook? Okay. Andy Novocin: Yeah. 2.3 5 2 with you forward, in fact. But yeah, anything 2.3, 4 and upper, all the same, and they don't have a free. Your? Andy Novocin: Okay? Andy Novocin: Okay, All right. That's our baseline. Andy Novocin: Do you guys like memorize that, or something, or practices that I feel like you really know that baseline that's like the whole plan. It's like, You know that baseline, and then we're going to build on it and things like that. Andy Novocin: Okay. Andy Novocin: So now i'm going to take away from you the use after free. Andy Novocin: you know. Take away your use after free. Now the use after free, you know. Andy Novocin: That was I. Andy Novocin: That's a developer making a pretty critical mistake. Andy Novocin: Okay. Andy Novocin: and and I will forgive you for thinking that this feels contrived. I don't think it is. I think, in this example it feels contrived. But I think in reality. Andy Novocin: here's the vulnerability this week. Alright I've added kind of an in use checker. Andy Novocin: So if ever I've got one of your pointers, i'm gonna do my own little true or false, or whether or not you are in use. Andy Novocin: So say, hey, I just malloc this a user has access to it. This is my own little, you know, previous chunk in use flag. Andy Novocin: and when they go to edit Andy Novocin: i'm going to check to say, hey. Andy Novocin: are you allowed to edit. Are you currently being held by the user Andy Novocin: And when you go to view, I'm gonna say, hey, are you allowed to view? Are you currently active, this chunk. Andy Novocin: and when I go to free i'm gonna set it to 0. So I say, okay, no more viewing or editing that pointer address. Andy Novocin: But I didn't take the extra step of checking it here Andy Novocin: all right now. That seems a little contrived. Why would they allow me to not edit or view. But yes, to double- Andy Novocin: Well, you got to take a little object oriented to understand the actual mechanics of it. Andy Novocin: The malloc chunk is is inside of a user class or something, and the user class has this stuff, and it keeps its own pointers or whatever I don't use the user once I've gotten rid of it. But the user is there, or like I, You know the user is dead, or something, or whatever, and they still keep this stuff in the data. Andy Novocin: So it it it's a little micro-contrived, but it's not really in practice because all of this stuff in practice is like a 6 month team of 4 to 6 people going for that 1 million dollar pay day. Andy Novocin: So in practice this is 6 months of trying to take what Chrome is actually doing it and mapping it back to this map of like your reality. Right? So you know, I struggle to do an exploiting 50 min. Andy Novocin: You get a team of really bright people. 6 months to find a 0 day. We're talking like Nsa spy versus by stuff. And it's totally okay to take your whole team and say, your your job is to get me remote code execution on Android OS, Andy Novocin: you know, without any other vulner. Yeah, it's just known code. Andy Novocin: So Andy Novocin: what is reality. I don't know these these are all trying to point at the security lessons that would take you 6 months to do in. Andy Novocin: Okay. Andy Novocin: I Andy Novocin: Yeah, I have other. I had another thought. I'm just going to babble out at you just vomit Andy Novocin: I when you go to work as a blue collar Cyberperson. Andy Novocin: typically. You're pulling your crap from metasploit early on, like You're like a a baby, red team, or whatever. And I would say, this is like. Andy Novocin: you know, part of what this class is an invitation to, and part of the reason i'm not grading the back half Andy Novocin: is that Andy Novocin: this is a class about building nuclear weapons. Andy Novocin: and once in nuclear weapons are like a one time. Use thing or whatever. Andy Novocin: Once we find an exploit. For whatever reason the analogy breaks down almost immediately. Once we find an exploit, if it gets blown, ever anybody knows about it, whatever it gets kind of like patched or downgraded, or something like that Andy Novocin: the script gets added to the Metas Floyd sort of world of script Kitties. So like the 0 day happens once, and then other people copy and paste that thing forever more. Andy Novocin: So it goes from being a nuclear weapon to being like a Bb, you know, and so many of you will go to work early on your early stage of your career will be as like protecting against Bb's, and all you gotta do is just like put up a arp, you know, and that's okay. Andy Novocin: Part of this class is an invitation to prevent nuclear warfare. You know, Part of this class is an invitation to do this at the highest levels, and not all of you will do that. You know. I get that. So Andy Novocin: just to say we are building the payloads that go into metasoid, which is a really rare skill in the world. Andy Novocin: So it seems kind of weird and esoteric, whatever something like that. Not all of you are going to do it, and I get that. Andy Novocin: All the insights are fine, because you're all going to be developers of some kind or another. You're only in some of some kind, or you're going to understand the mechanics of how the thing happened. A couple of you can go and make the nuclear weapons and and go and prevent them at the highest levels, or discover them, or whatever you know. So like the land of 0 days is for the elite. Andy Novocin: and you're all capable of that. But you know it's just weird. It's a weird career, you know. Andy Novocin: But you will all use these things on the other side once they just become script. Can you crack? Andy Novocin: All right? Andy Novocin: Yeah. Got it? Okay? So this is our exploit for this week. I'm going to put this up on a, on a, on a. Andy Novocin: and our job is to break through. I just didn't think you'd be able to break through in one day, so Andy Novocin: why? Well, I've lost view and edit. Andy Novocin: If I lose view and edit, what does that do to my kill chain? Remember all these early questions, and, you guys, you know that we kinda like fumble through Monday morning a little sleepy, Whatever All these questions we fumbled through. Andy Novocin: How do I? Andy Novocin: I conquer address randomization If I can't view after free. Andy Novocin: How do I do? A right? What? Where if I can't edit a chunk after free? Andy Novocin: Alright? That's sort of the dilemma that we find ourselves in, and you want to get right back to that place where you have a you set for free. Andy Novocin: So what I want to show you is a way to manufacture use after free. Andy Novocin: Alright so you say, if if the one bug I've got is double free, I can kind of manufacture a version of you set for free, and that translates right back to the world. I'm comfortable in Andy Novocin: just it's like 3 steps longer each time, you know, or whatever. So that's that's kind of my like pedagogical framework here. Andy Novocin: Okay. So Andy Novocin: here we go. Andy Novocin: This is the fast bin, Duke. and this fast bendoop looks exactly like it is, and the Andy Novocin: and you know the canonical Andy Novocin: how to heap. You know this is all the heap exploits live here. Andy Novocin: and yet it's not actually that interesting on its own yet. And and you know it's like, okay. We'll do fast, and it's like, No, actually, we have to talk about a whole lot of stuff Andy Novocin: to understand how to use the dumb thing. Andy Novocin: So here's the fast benzo Andy Novocin: You're going to Malloc, a. you know, Malloc B. And then this is the magical little somber dance Andy Novocin: free a free B free. A: Andy Novocin: Okay, that's a double- that double free shouldn't. Be possible. But it is. Andy Novocin: I want to show you why that's possible, or whatever what's going on in that world, and things like that. Andy Novocin: Now, when I Malloc, I will get a right back. Andy Novocin: and I can write a target Andy Novocin: into that. A. Then when I malloc again. Andy Novocin: i'm gonna get the back, and the next malloc will be a again. And the malloc after that will finally be my target. Andy Novocin: Alright, so this is the baseline fast bin dupe. It annoys the hell out of me that in this industry. They spell Duke d up Andy Novocin: just like that. Would I want to pronounce that duck, and I don't ever want to say duck out loud? That sounds dumb. It's a dupe, and it's a duplication of a fast building. Andy Novocin: I just don't know why, for whatever reason some dumbass left off the E. Alright, so you know that's pronounced a duke. Andy Novocin: Alright. Andy Novocin: So if I can do this. Andy Novocin: the the one vulnerability that the the coder allowed is this line. That's the coder's fault. Andy Novocin: Everything else is sort of, you know, fighting around the G. Lipsy and and the coder just didn't double check that I couldn't free an address that was already freed. Andy Novocin: All right. Andy Novocin: Now why is this the same as the use after free? Well, now, I have something that is totally mine. Andy Novocin: and it's totally free. Andy Novocin: and if I have something that is both freed and mine, then I can. And it's actually really, at this point Andy Novocin: that I have something that is both free and not free. And at that point I can turn into a right where I can read what's in there, things like that, etc. Andy Novocin: Now you know, even in our playground case, like I don't just get to mall up. I like always malloc and send a little payload, so i'm gonna lose the bite of that address that I want to leak, and so I gotta like reverse engineer where that bite went and stuff like that. It'll be a little bit annoying, but I I will end up with Andy Novocin: Well, I will end up with something that is both free and not free. And what does that mean that's a use after free. It didn't happen from the coder's fault. Andy Novocin: you know. But it happened from the code. Or allow me to double-free, so that's the big idea is that I can use a double-free in order to synthesize the use after free and you guys should love use after free, because that's our baseline. That's the one that everybody knows so well quote unquote, you know. But we get it, you know, like all right of leak, and then I can do some other stuff. Andy Novocin: Are you with me on that? That's the that's the framework. Now Andy Novocin: it all goes to hell immediately, and all goes to hell immediately. That sounds great. I can run that, and that will work and not crash my dumb program. In fact, we should. Yeah, we could. We could validate that real quick, etc. Andy Novocin: And and you know Andy Novocin: that's the big idea great. Andy Novocin: But what sucks about heap stuff Andy Novocin: is that the big ideas don't come as fast. It's not like, you know. Here's the big idea, or whatever it's like. The big idea is at the other side. It's like having a treasure map or something right like I found a treasure map on the other side of the treasure map. Is this thing that I used to get for free out of my printfs, or you see it for free at all my other, you know baby exploits. Andy Novocin: but now it's actually buried in some island in the Caribbean, with like arrow machines or whatever, and so like we have to. First, you know it's. Now every exploit becomes an oceans 11 caper, right where it's like. Okay, I've got a thing. Andy Novocin: Here's all the crap I've got to do in order to set it up so that I can finally get the gold, you know like. And so everything becomes oceans 11 instead of just like, Push a button and win, you know, and that's what we've had so far. So that's normal. That's that's life in like 0 Day land. Nothing is free here, nothing's patronizing. Andy Novocin: But it takes me 3 times as long to talk about it. Alright, which means that body language wise. You guys get more bored because it's not the same. Dopamine hit every single class. It's a dopamine hit once a week, alright. So sorry. You know. We like our dopamine hits, so I like my speed runs. This is the same speed runs Andy Novocin: all right. Andy Novocin: but they're worth a lot more points. The speed runs all the time. 10 points every time you solve one of these it's 500 points, 50 times more valuable than speed runs. Andy Novocin: So Andy Novocin: what goes wrong? Andy Novocin: Well, now, we have to think about security like. Now we have to think about what's actually going on in the healthy land. Andy Novocin: The people who make G Lipsy are not idiots. Are our enemies are not idiots here. There is one developer that made one mistake. Andy Novocin: One of the things they did to try to stop us. And how do we get around that? So there's 3 layers of laser things I gotta like spray. My, I don't know for breeze or whatever it is. You spray to look at Lasers when you're doing spy. None of us have ever done that, right? So but we've seen the movies. Okay. Andy Novocin: So Andy Novocin: since this is going to get hard, I'll, I'll show you. Maybe I'll show you why it's going to get hard. Here's why it gets hard. Andy Novocin: This is our first kind of look into the actual source code of the person who really wrote the dynamic memory Allocator. Andy Novocin: And and this is in ped bag, which is pretty cool. So if you crash your program, you're gonna get this kind of stack frame like, trace back of all the errors like this is where my abort happened, which was called by this lipsy message function, which is called by some unnamed, You know, Lambda, or whatever Andy Novocin: which is called from this like internal free method. which was called by the menu free. It's like, okay, cool. So this is the free method. Andy Novocin: and I can say, hey, in stack, frame 4, and like in trace back for let me see what the message is, and they'll say, like, oh, yeah, double free or corruption, I say, can you show me a little bit more code of that, sure? Andy Novocin: And here's the literal malloc, dot c. Lines of code that I triggered the security vulnerability. This is the laser system. Andy Novocin: We got to think, Tom, Cruise in the early 2,000 S. Or whatever something like that, you know, before we all knew he's crazy, and maybe he's not. I don't know whatever. You know. Andy Novocin: the roller coaster. I'm not a celebrity guest. Okay. Andy Novocin: this is the check old equal equal. P. Andy Novocin: If I fail to check. or if old Equal P. Then it's going to throw an error and say, double for your corruption. Alright, fine. Andy Novocin: So that's that's a security measure. Andy Novocin: And what's really cool about this is that you can now, with the playground and stuff, You can go fart around with things that you think might work, and you should. You should like Tinker in the space. Andy Novocin: and then go see which lines of security things you triggered Andy Novocin: right, you know. So what's cool about this is like there's a laser system, but I can see the specs and the laser system. They have be like that's a laser automatic, 2305. Which means that there's a trip switch over here, you know, whatever. So step one old equal equal. P. Andy Novocin: All right step 2, and that's by the way, that's why we do free a free B free a. This is the one that causes us to do the dance. We we just can't free the same thing twice and row. Andy Novocin: but it only checks the previous one, which is kind of cool or is okay, it's not cool, that should frighten you. Andy Novocin: and and you would think, why not check all of them to make sure that they're not freeing one that's ever been freed. Andy Novocin: And that's a question I have to answer for you today. Andy Novocin: This is actually like this thing will always be a bug. Andy Novocin: They're never going to be able to patch it, because if they patch it, they're going to make all your video games up. You know. They're all going to get slower. Andy Novocin: Alright, so all right. But I I have to tell you why this will be a forever ever green bug Andy Novocin: that we can always exploit. Kind of Andy Novocin: okay. Then this is the other source of code that is going to annoy us Andy Novocin: all right. and it's this one Andy Novocin: all right. If the chunk. Andy Novocin: then I am referring to you. They call the victim Chunk. By the way, the victim trump is the one they're giving back to you, because they're killing it from a linked list. Andy Novocin: So it's the victim of a linked list. Murder! Andy Novocin: The victim of our linked list. Murder is gonna have a chunk size. They're gonna check that and then check to see that matches the index and the fast spin of the linked list you're in. So that is to say, if i'm pulling from linked lists o X. 20. Andy Novocin: I better see that near your address is a size field that says oh, X. 20 or x 21 so they're going to check the size field of anything. They return back to you. Andy Novocin: Those 2 things make everything else crappy for us. Andy Novocin: T cash didn't do that much security, because, you know, whatever. Actually, you guys should maybe more security, but in in different ways. Whatever I don't really care t cash. We could just do the thing, because really it wasn't about the t cash. It's about us to use after free. Andy Novocin: This is our way of doing a double- which I can't do it. Andy Novocin: Okay. Andy Novocin: that's me telling you the end of the story. I like Zig ziggler a lot, Ziggler says. And you're given a talk. You say i'm gonna tell you what i'm going to tell you then I'm going to tell you what I just told you, you know. Andy Novocin: So Andy Novocin: that's the reason why I didn't release the Pcp. Today, because this one's annoying, and you're just not ready to think about it yet, you know, for you to really think about it and have a mental model where you like, can actually walk around doing the mental reps of a big fan of mental reps. With all this crap you get to the place where you can imagine the payload in your head when you're not of a keyboard. Andy Novocin: Then you're at the stage of like really being a savant at it right, because now, all of a sudden, you can be doing loops all the time, while other people can only do it when they're in their via, you know, and if you can do the loops in your head while you're walking around now, you're just 10 times more effective than somebody who's stuck at the keyboard, you know. Andy Novocin: You can do it while you're Andy Novocin: driving. You know what you know. It's fine. Maybe don't be to that distracted. But it is okay. It's subconscious and stuff. You'll dream in in Andy Novocin: exploits. Andy Novocin: Okay. Andy Novocin: So here's what I want to do is I want to tell you kind of the stories of the heap a little bit more Andy Novocin: just to expand our context just a little bit. Andy Novocin: And and so first let's just talk what our fast bins. Andy Novocin: Why are fast pins different than t cash bins, so are they similar to t cash bins. You know Andy Novocin: what's going on here, so this is the world we've been living. This is still the world we're going to live in. Andy Novocin: These are singlely linked lists with a pointer going forward. Andy Novocin: Okay, excuse me. Andy Novocin: They ended a 0. They ended null by okay cool Andy Novocin: and just like in t Cache. These linked lists are all going to be the same size, size, size, size. They're all the same size. Andy Novocin: Okay. Andy Novocin: they are made for speed. Andy Novocin: This is the people who made the dynamic allocators. The reason malloc, cook and free hook exists in the first place is that they were profiling the hell out of everything that anybody ever did. These things run the world. You deleted your computer crashes. G. Lipsy runs all things. Andy Novocin: because G. Lipsy runs all things they just tracked. Andy Novocin: How often are people. Andy Novocin: you know, mallocking chunks and freeing chunks? What size of the chunks you know. Are they changing sizes between the malloc and freeze? You can find research and research papers like crazy from, you know, assist people talking about what the patterns are of dynamic memory allocation. Andy Novocin: and from all those patterns we've optimized our world saying, hey, most of the time. It's bullet hell when it's bullet. Hell. I need a whole lot of chunks that are small. Andy Novocin: and I'm just going to reuse them all the time. Just it's like, you know, reusable casings, or whatever. Not Andy Novocin: the opposite of K. Cups. I don't know it. The convenience of K. Cups with all the recycling green benefits. So my job is to like make stuff and then get it right back. Andy Novocin: Okay. So t cash and fasten Andy Novocin: are my ways of just saying, here's a bullet. Your bullet's gone. Use reuse the bullet and bullets gone. Not needing more memory. I'm going to take this much RAM. It's going to be filled with a 100 bullets, if you need more fine, but probably you freed up enough before I get back to the 100. Andy Novocin: That that kind of thing. Okay. Andy Novocin: So what's a fast, Ben? Well. Andy Novocin: fast bin is exactly the same as t cash bins, except Andy Novocin: t cash bins. Andy Novocin: I have account Andy Novocin: in t cash bins. We're used to that you can have at most 7 in there. There's this little counter that we've looked at to those 2 Byte, or whatever we saw. Crank up, 1 2 3 4, Andy Novocin: in fact. Let's let's run today's playground thing, and just kind of like f with it a little bit. Andy Novocin: you know not to trust me. You can see for yourself. Andy Novocin: My guy Andy Novocin: is Andy Novocin: that's been there. It is Andy Novocin: all right. Let's run it. Gdb: fast and do. This is the so. You know the program running the source code that we already have. I'm: just gonna hit run. Andy Novocin: Okay, Create a chunk index 0, 24. Andy Novocin: I hell on board already. Control D: Andy Novocin: Let's do this with the playground in Python. There we go. Andy Novocin: going to Malloc, 9 things and free 9 things for those in the back. There you go. Andy Novocin: Malloc, 9 things and free 9 things, and I just want to see where they go in the bins and stuff like that. Andy Novocin: Run team ups first. My python 3 minus. I exploit Andy Novocin: control, C Andy Novocin: Bins what Andy Novocin: you mean, fast. good Andy Novocin: control, c. Andy Novocin: All right. Andy Novocin: I I probably just say control C 2 best. Okay. So what did I do. I'm now like 9 small chunks x 20 size, the smallest size, and then I free all 9. Andy Novocin: What happened to you, my mind? Well. 7 of them lived in the T. C. Andy Novocin: And once the past 7 they stop putting on the C. And where do they go next? They go to the fast. Pills, fast pins are t cash overflow. Andy Novocin: Why. well Andy Novocin: remember that these are for your like red sake process. I've got a whole bunch of conference to a mac, and parallel with I in my memory, whatever it's like that this one, it's all on T. C. Andy Novocin: This one's going to share. Gmc: so it's spreading up a bunch of threads in parallel processing. Every time I write one of these I have to walk, she would see Andy Novocin: whilst and nobody else in access. Now they're waiting to get access to it. See again! I outlook it now. They can get access. So these ones are shared over all the threads, so I needed something that like, Wow, this parallel. Andy Novocin: And now we've got 9 of these things scattered. Andy Novocin: Okay. if I look at them Andy Novocin: here they are Andy Novocin: all right fine. No big deal. You can see the links lists are happening. I'm playing with the 2020 Andy Novocin: through things like that, except Andy Novocin: okay. Andy Novocin: So Andy Novocin: what's the big difference in fast Ben t cash, Ben. Andy Novocin: there's like 3 or 4 that matter. Andy Novocin: And and you guys look forward already so like I. You know I know I want the dopamine hit. I want to go me and hit. You know it's cool. I'm saying, stuff that's dry. But Andy Novocin: here's the big story I want to say. Andy Novocin: Imagine that you care about memory fragmentation. Alright. I've given you this much space. and you can use up that space 32 Byte at a time. and you can return it to me in any order you want. Andy Novocin: So you just take it all, and then you start to give it back to me, but you give it back to me some stupid order, you know. Andy Novocin: And now I've got this linked list. It's just jumping around all over in that space, and maybe I've got like a chunk of free space right here, or chuck free space over here, and none of it is like together, right? Which means now you're dumb. Bullets prevented me from the next stage of the game, where I need to load it. Andy Novocin: you know, like a whole 3D rendered model asset or something. Right now, all of a sudden, I have to ask the operating system for more memory, because the bullets are all that order. Andy Novocin: Okay. And all of a sudden I start turning your box into one that's hot and and your land party ends because you started a fire or whatever, and that like Hot Alley, you know, whatever. So all your computers circle over over sweating because your the memory access is like just burning up all the RAM. Andy Novocin: Okay. Andy Novocin: So imagine that you care about that level of fragmentation because you're a studio, a video game. Andy Novocin: If t cash didn't stop me at 7, Andy Novocin: and I just make these chunks all over the place. Then certainly users could just Andy Novocin: brag the hell out of my memory Andy Novocin: with me on that idea, like I just ask for a 1,000 bullets, and I freedom in a random order. Andy Novocin: All of a sudden I got linked list everywhere, and they're not touching each other. There's gaps everywhere, whatever. I can make it as bad as I want mathematics. Andy Novocin: Okay. So tea cash recognize that problem. They said, You know what? If I only give them like 7. That's enough based on all of our profiling. Whatever things like that. That's okay. And they won't. Get that bad, You know the worst you can do is like 6 chunks between them, or something like that. Andy Novocin: So so like we're just going to cap the number of it's always set. That's just based on like statistical profiling. They did. Andy Novocin: you know, like 7 7 will. Do you know, they're probably debated in their, you know Andy Novocin: Irc Channel, or whatever back in the day. Okay, set it. That's our home. Andy Novocin: Well take a look at this. If I go nuts on this. Andy Novocin: let's push that to its extreme. I did. 9. Here. let's go. 99. Andy Novocin: Okay. Andy Novocin: What will happen with 99? Andy Novocin: I Good. Andy Novocin: Well. here, my visualization gives me a dot dot dot. All right? Why? Because you've got 99, Andy Novocin: 92 of them end up in the past, all here. Okay. So the reason for that cap on the thread on the on the T cache is that Andy Novocin: you know I don't want to fragment the hell out of you whatever. Andy Novocin: but there is no such cap on the fast pence I need, you know, just in. If I have a 1,000 bullets like a 1,000 shunks like me as bad as you want to make it mathematically. Andy Novocin: Okay, do you know what they do to fix this? It's interesting. Andy Novocin: Let me fix this. Andy Novocin: Let's let's look at this in the vis real quick Andy Novocin: that don't seem right. Andy Novocin: Oh, it is right. It's just not showing me beyond this point. Andy Novocin: If I say this, 256, maybe. Yeah, okay. Andy Novocin: you're gonna see t cash cash t cash. Hell. They don't even start labeling the fast bins after 8. They're like, okay. There's more than 8 fast pins out there. But all of these are now in the fast pen. Andy Novocin: Okay. So all these chunks are everywhere. This is bullet hell, and you can imagine, as many like free ones in there to make the picture as fragmented as you want. Okay, well take a look. What happens if I run this program? Oh, I mean, continue this program. Andy Novocin: and I do one more malloc Andy Novocin: Actually, that doesn't seem to be working okay, fine. Andy Novocin: I'll do 98 Andy Novocin: 98. Andy Novocin: I python 3 minus I X. That I have an extra character there. Andy Novocin: Probably shouldn't like that. Andy Novocin: It didn't mind. I don't know if he did, but it didn't mind Andy Novocin: at Andy Novocin: yeah control. V left. Alright, i'm gonna go over here, and I will say malloc, 99. And now i'm just gonna ask Andy Novocin: for any size that is not currently available. Everything I did is 24. Now, i'm going to ask for 40 Andy Novocin: and say, Hi, there. Andy Novocin: Okay. Andy Novocin: take a look. Did it break? Okay. it looks broken. Andy Novocin: It looks broken. Andy Novocin: Okay. One more time Andy Novocin: I'll just do it right in here. Andy Novocin: Malloc. 99 and i'll just ask for 40 Andy Novocin: in effect. Andy Novocin: Yeah. Andy Novocin: that's fine. I maybe I need to do this in just like an opposite order. Andy Novocin: Let's go from like 97 down to negative one by negative one i'm gonna free these in the opposite order that they're done. Andy Novocin: We'll see. We'll see if that matters. Andy Novocin: Okay. We we look good. We look good. Andy Novocin: not what I expected. Andy Novocin: Yes, good, excellent. Oh, no, no, no, I'm wrong. I'm wrong. Andy Novocin: Right? Right? Right? Andy Novocin: Okay. Andy Novocin: Not what I expected. Andy Novocin: Shit alright. Fine. Andy Novocin: Here's what I expected to happen. Andy Novocin: Take a Look at this free flow chart. Andy Novocin: This is how free should be thinking, and we'll see what I got wrong here in a second. Andy Novocin: Oh, no! Let's look at the malloc flow chart. Okay. Andy Novocin: if I ask you something. Andy Novocin: I asked for something small in this case asked for something size 40. We lived in a world, where I had 7 things in size, 20 in the teapot, and Andy Novocin: 92 things of size. One investment, it says, hey is your request size in my cast in multi cash frames from 20 to 4, 20, or 10 Andy Novocin: appropriate cash occupied. I'll get to see that's great. Andy Novocin: I asked for 30 or 40 or whatever. No, no such luck. Andy Novocin: Okay, am I in the fast good room? Yes, an investment. Is there a Nope. Andy Novocin: Okay, Fine. Andy Novocin: Am I in the small bin range. Yes. Is there anything like that? No. Andy Novocin: Oh, yeah, I am in the Andy Novocin: This is like it. Andy Novocin: and Andy Novocin: well, that's nice. Andy Novocin: I wanted it to do this. Andy Novocin: This step is fascinating. Andy Novocin: This is the step. Why. and it's just a matter of you imagining. Will it be a dynamic memory person, or whatever Andy Novocin: fast bins will consolidate if there's too many Andy Novocin: that is to say, that you ask for something large, larger than this. Call. Andy Novocin: then what it will do is it will go through all of those fast things, and it will check if their neighbors are free. Andy Novocin: and it'll try and just switch it all together in one giant chunk that throws in the unsorted. Andy Novocin: So the fast fans will occasionally just consolidate in order to clear up all those. Andy Novocin: and that consolidation kind of prevents the correct message with me on that. Andy Novocin: All right. I I used to call this the tail the 5 bins, but if I, learning all 5 bins up front, is just too dry, and try to make this at least as little dryness as possible. But Andy Novocin: it just gets harder. Okay. So this is what I did wrong. I requested something in the small bin range, which means that it skipped the Consolidate fast. So what's the small bin range? Andy Novocin: X 3 threefo. Andy Novocin: All right. So I just need to ask you something a little bit larger, and then i'll get the story that I wanted Andy Novocin: X, 3, F. O. I'll do. Hex: 4, 20. Andy Novocin: Okay. Andy Novocin: Boom, Look at that fast bins are clear. Andy Novocin: And now there's a big hunker in the unsorted bit. all right. So all 92 of those things, and it made it just one big chunk. And then through that and I sort of thing. Andy Novocin: Okay, cool, Whacky. Why am I telling you all this stuff. Andy Novocin: Well. Andy Novocin: you've got to think like a dynamic memory. Allocator. You've got to think like a Security specialist or whatever that that's trying to balance, like allowing the world to have the bullet home games without burning up their views. Andy Novocin: and in this case Andy Novocin: t cash is limited, because, you know, it's just going to be Andy Novocin: the 7 11. It's just Max, Whatever the fast fence I can have as much as I want. But I've got to Andy Novocin: yeah as much as I want, but I have to do a little bit more work in the world. Doesn't go crazy burning up all your RAM all the time. Okay? And if I look at that. Andy Novocin: take a look at what they did Andy Novocin: they through all this stuff into the unsorted bin. Here's my chunk that I got. Oh, okay. this is even more interesting. Andy Novocin: This is the chunk they handed back to me where I got to write. Hi, there. Andy Novocin: now that Hi there literally has an address at the back Andy Novocin: that that high there does have an address inside of it, because it was once part of a child. Andy Novocin: and it first, and that address is a. G. Lib. C. Address that isn't a heap Address. That's a Walmart address. Andy Novocin: Why would this formerly fest bin chunk have a G lipsy address in it that I just over wrote on accident. Andy Novocin: Well, it has that G. Lipsy address, because what did it do? It consolidated all the fast pens, put it into the unsorted bin. The unsorted bin gives me G. Lipsy addresses. and then it grabbed a chunk for me from the unsorted bit Andy Novocin: or the user what the user wanted. I asked for 4, 20. They give me 4, 20, Andy Novocin: 4, 30, fine. and Andy Novocin: the part that was left over, they turned into a new chunk Andy Novocin: kind of right in the middle of stuff. So now there's this other chunk of size, 731. With 2 G. Lipsy addresses in it in the middle of all my fast events. Andy Novocin: Interesting. Andy Novocin: Interesting. Okay. So that's consolidating whatever, etc. Andy Novocin: All right. Andy Novocin: So what is the story that I want to like. Get across here. Why am I telling all this stuff? Andy Novocin: Here's kind of what I want to say Andy Novocin: when you think about fast pins versus t cash. They act the same way. Small little guys, you you know, Malcolm, you free them. They all go into this linked list singlely linked to this. It's a single link. This made for speed. Andy Novocin: and Andy Novocin: t cash has counts to fight fragmentation fast bins, don't the reason fast bins don't, or the reason fastens are different is that they're just like t cash. But you have to imagine a 1 million of them. Andy Novocin: you know, like the Mitchhead burg, joke, or whatever like. I eat rice when i'm hungry, and I want to eat a 1 million things, you know. Andy Novocin: so fast. Bin is just a 1 million little tiny bins, and it every once in a while they will consolidate if you ask for something too big. Andy Novocin: alright, cool. Andy Novocin: And now how big for 20 days, that's something. Andy Novocin: Okay. Andy Novocin: So fastens do live in G. Lipsy in the main arena that's useful. Andy Novocin: And they have these extra little security measures. Andy Novocin: Okay, Great. Andy Novocin: Now that that whole story is why this vulnerability will live forever. Andy Novocin: This will be in every version of G. Lipsy. Why? Because imagine that you had to go through a 1 million small chunks to decide whether or not the one that you're freeing is one of those 1 million. Andy Novocin: It would make your game take forever. Every new bullet would now have an order 1 million, you know. Computation to do is you have to traverse a linked list? Andy Novocin: No, he's traversing linked list and speedy times, you know. Andy Novocin: so All that we can do is just kind of check. If you maybe they'll do something more clever they will. We'll check 5, you know. But if they're going to check 5. They might, you know, like might as well only check one because it. Andy Novocin: The hackers will just go free a 3, be free, you know, and then free a again after s, you know, whatever. Andy Novocin: So this vulnerability exists. It seems a little dumb, but it's not when you think about a 1 million of them Andy Novocin: and parsing through a 1 million linked list to see if you've ever freed this address before ain't gonna happen and a low-level thing that makes the world run all right. This is embedded stuff, you know. Andy Novocin: Okay. So these flow charts. Andy Novocin: I They are the sort of iceberg of heap stuff, you know, to say, there are 5 types of bins Andy Novocin: we now know t cash and fast and relatively well. So this was me just laying the foundation, and it was boring, just laying the foundation, so that when we dive into this stuff you've got a foundation. Now. Andy Novocin: I don't think the retention rate on me saying boring stuff is gonna be that high, so go fart around Prior, do the baseline. Do the T cash poisoning from last week. Now that you're done with, project one or whatever, something like that. Have a Margarita. Okay, I if it's illegal and and then go and and do a t cash. So if you're old enough. Andy Novocin: you know. Let your hair down for a moment, but get right back in and do this. Andy Novocin: Okay, cool. I guess we kind of know on sort of been to. There's like 3 bins we kind of know in a while Andy Novocin: fast bends t cash, and unsorted vaguely Andy Novocin: a double linked list connected back to G. Lipsy. That's all I really care about. Yeah. Andy Novocin: Oh. Andy Novocin: actually, probably a bit. That's I. A chrome emergency buffer overflow Patch. Andy Novocin: Yeah, I mean. Andy Novocin: the people who are good at this. Like to target Chrome. Andy Novocin: Yes, Exactly. Andy Novocin: Yep. Yep. Yep. Yep. Andy Novocin: Yeah, it's like all right. Upgrade asap. Andy Novocin: Hey? Nice. There you go. I'd use a write up. Yeah, I'm. Just like I understand it, though.

Introduction to fastbins

From Andrew Novocin April 17, 2023

13 plays 0 comments You unliked the media.

Zoom Recording ID: 4159319948 UUID: XNHJCEH4T6a3DewAbRquVw== Meeting Time: 2023-04-17 02:14:16pmGMT

Tags: fastbinspwn

Department Name: ECE
Department Division: Engineering
Date Established: April 17, 2023
Appears In: x86 and Secure Software Design 2023

Comments

Add a comment