Steven Seeley (Senior Penetration Tester, Stratsec BAE)

PRESENTATION TITLE: Ghost in the Windows 7 Allocator

PRESENTATION ABSTRACT:

Windows 7 introduced many new security mechanisms regarding the use of the front end allocator. In an attempt to mitigate many of yesterday’s attacks, new, complicated functionality can be abused to place the heap manager into a unexpected state. With every new heap manager revision, security is often enhanced minimizing specific metadata attacks and incrementally increasing their requirements. The metadata attacks of today now facilitate application data attacks directly.

This presentation will begin by detailing Windows XP and Windows 7 heap data structures and core algorithms. Following that, the author will walk through past (un)famous windows heap exploitation techniques and present a new, undisclosed exploitation technique against the Low Fragmentation Heap known as the ‘depth De-sync/Offset match attack’.

ABOUT STEVEN SEELEY

Steven Seeley is a senior penetration tester and security researcher for Stratsec BAE, Australia. In his spare time, Steven conducts vulnerability research enjoys reverse engineering. Lately, Steven has focused his research attention to discovering new attack vectors against window 7′s heap manager.