Repository logo

Infoscience

  • English
  • French
Log In
Logo EPFL, École polytechnique fédérale de Lausanne

Infoscience

  • English
  • French
Log In
  1. Home
  2. Academic and Research Output
  3. Conferences, Workshops, Symposiums, and Seminars
  4. Exploiting android’s hardened memory allocator
 
Loading...
Thumbnail Image
conference paper

Exploiting android’s hardened memory allocator

Mao, Philipp
•
Boschung, Elias Valentin
•
Busch, Marcel  
Show more
Doupé, Adam
•
Milburn, Alyssa
August 12, 2024
WOOT'24: Proceedings of the 18th USENIX Conference on Offensive Technologies
WOOT'24: 18th USENIX Conference on Offensive Technologies

Most memory corruptions occur on the heap. To harden userspace applications and prevent heap-based exploitation, Google has developed Scudo. Since Android 11, Scudo has replaced jemalloc as the default heap implementation for all native code on Android. Scudo mitigates exploitation attempts of common heap vulnerabilities.
We present an in-depth study of the security of Scudo on Android by analyzing Scudo's internals and systematizing Scudo's security measures. Based on these insights we construct two new exploitation techniques that ultimately trick Scudo into allocating a chunk at an attacker's chosen address. These techniques demonstrate--given adequate memory corruption primitives--that an attacker can leverage Scudo to gain arbitrary memory write. To showcase the practicality of our findings, we backport an n-day vulnerability to Android 14 and use it to exploit the Android system server.
Our exploitation techniques can be used to target any application using the Scudo allocator. While one of our techniques is fixed in newer Scudo versions, the second technique will stay applicable as it is based on how Scudo handles larger chunks.

  • Details
  • Metrics
Type
conference paper
DOI
10.5555/3696933.3696948
Author(s)
Mao, Philipp
•
Boschung, Elias Valentin
•
Busch, Marcel  
•
Payer, Mathias  
Editors
Doupé, Adam
•
Milburn, Alyssa
Date Issued

2024-08-12

Publisher

USENIX Association

Publisher place

Berkeley, CA, United States

Published in
WOOT'24: Proceedings of the 18th USENIX Conference on Offensive Technologies
DOI of the book
10.5555/3696933
ISBN of the book

978-1-939133-43-4

Article Number

15

Start page

211

End page

227

Peer reviewed

REVIEWED

Written at

EPFL

EPFL units
HEXHIVE  
Event nameEvent acronymEvent placeEvent date
WOOT'24: 18th USENIX Conference on Offensive Technologies

WOOT’24

Philadelphia, PA, USA

2024-08-12 - 2024-08-13

Available on Infoscience
April 4, 2025
Use this identifier to reference this record
https://infoscience.epfl.ch/handle/20.500.14299/248676
Logo EPFL, École polytechnique fédérale de Lausanne
  • Contact
  • infoscience@epfl.ch

  • Follow us on Facebook
  • Follow us on Instagram
  • Follow us on LinkedIn
  • Follow us on X
  • Follow us on Youtube
AccessibilityLegal noticePrivacy policyCookie settingsEnd User AgreementGet helpFeedback

Infoscience is a service managed and provided by the Library and IT Services of EPFL. © EPFL, tous droits réservés