We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Ret2page: The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated Cache
Explore the art of exploiting use-after-free vulnerabilities in dedicated caches, including the impact of page order, migration, and allocation on page reclamation and replenishment.
- Slab pages have two types of allocators, slab and body, and can be allocated from free lists or specifically labels.
- Dedicated cache is designed for a specific type of object and cannot be merged with general cache.
- Cross-cache attacks can be used to allocate objects from general cache into dedicated cache, but are memory- and time-consuming.
- To refill a freed object, one can use indirect allocation or waiting for the object to be reallocated.
- The page order and migration type can significantly impact page reordering and reclamation.
- To bypass KASLR mitigation, one can use page-controlled allocation and memory-mapped file.
- объект B cannot refill the freed object A if allocated from a different cache.
- The page order can be controlled by aligning the page with the allocated object.
- The memory space occupied by the slab page can be shrunk and expanded.
- The return of the invalid value error indicates a pipe error and can be used to refill the freed object.
- The dedicated cache can be exploited by using the fixed offset and guessing the color slide.
- labels like the fixed offset and guessing the color slide can be used to refill the freed object.
- labels like the fixed offset and guessing the color slide can be used to refill the freed object.
- The memory fragmentation can be mitigated by shrinking and expanding the memory space.
- The memory fragmentation can be mitigated by shrinking and expanding the memory space.
- The memory fragmentation can be mitigated by shrinking and expanding the memory space.
- The last slide is available on the author’s GitHub later.