The Shadow over Android: Heap exploitation assistance for Android's libc allocator
Vasilis Tsaousoglou / Patroklos Argyroudis
Category: Exploit Development
Summary: The jemalloc allocator has been adopted as the default libc malloc(3) implementation on Android since version 5.0, and is being used up to the latest one (7.0 - Nougat). We have previously analyzed in depth memory corruption attacks against jemalloc as a standalone allocator and in the context of the Firefox browser. In this talk we will focus on presenting attacks against jemalloc as the main userland allocator of Android devices (smartphones and tablets). We have extended our jemalloc heap exploration and exploitation tool called 'shadow' to support Android (both ARM32 and ARM64), and we will be demonstrating its use on understanding the impact of heap corruption vulnerabilities and developing exploits for them. The new version of shadow (supporting Android ARM32/ARM64 and Firefox x86/x86-64) will be released as open source software along with the talk.