Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Scudo is a hardened heap allocator that has the goal of preventing heap-based vulnerability classes. It is the default allocator for Android now-a-days. This article breaks down how the allocator works and the protections in place. First, they go over the primary allocator then through the secondary allocator, which are all chunks larger than 0x10010 that are allocated via mmap() directly.

Scudo is made up of blocks. The blocks are compromised of a header and a chunk. The chunk is the actual data while the header contains metadata and size information.

The allocations are done in regions; blocks of all the same size. Region 0 keeps track of a list of storage pointers within freelists. Between these regions are guard pages to prevent cross-region corruption

The allocator randomizes which blocks are returned from a given region. This makes exploitation harder because heap grooming becomes much more difficult. However, the authors note that there are ways to make it more reproducible in certain situations.

When freeing a block, verification is done on the header and the pointer that is returned. Once it's freed, the block enters a quarantine process to make the exploitation of UAFs harder.

For heap overflows we can mess with the header bytes. However, the verification of the chunk occurs on free() are quite strict. So, exploit developers can either create fake valid headers or simply not let the chunk go through free via the exploit plan.

Standard double frees are detected by the bits within the header of the chunk. However, free-reallocate-free is not caught at all. Use after frees are not caught either; although, there is the protection of the quarantine period.

Overall, good post on the allocator. I didn't put every single detail into this write up but put my important points and just wanted the page as a reference.