Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
A Systematic Study of Elastic Objects in Kernel Exploitation
Yueqi Chen,Zhenpeng Lin,Xinyu XingPosted 5 Years Ago- Elastic Objects are coined in this paper as objects that can have unlimited size. Why is this important? Altering sizes can be super useful for exploit development.
- The first part of the paper figures out candidate fields to figure out if something is an Elastic Object. Then, profiles the type of cache it uses and so on. Eventually, they use constraint solving in order to figure out if an elastic object could be altered by some previous vulnerability.
- At first, when I heard about this paper, I thought it was all about finding buffers with a dynamic size in order to target these for buffer overflows. However, this is something that is quite a bit different than that!
- Heap objects with an infinite amount of size are incredibly useful for exploit development. In this case, the paper focused on bypassing KASLR and leaking stack/heap canaries. By altering these elastic objects, it can be useful for exploit development.
- How to mitigate against this type of exploitation? The authors mention putting these types of objects into their own section. This is coined as shadow cache.
