Learn, hack!

Hacking and security documentation: slides, papers, video and audio recordings. All in high-quality, daily updated, avoiding security crap documents. Spreading hacking knowledge, for free, enjoy. Follow on .

Zero-sized heap allocations vulnerability analysis

File name
File size
803.0 MB

The dynamic memory allocator is a fundamental component of modern operating systems, and one of the most important sources of security vulnerabilities. In this presentation, we emphasize on a particular weakness of the heap management that has proven to be the root cause of many escalation of privilege bugs in the windows kernel and other critical remote vulnerabilities in user-land applications. The problem is not specific to any operating system and is present in both user-land and kernel-land allocators. The presentation is divided into three parts. First, we will reveal the exact nature of the weakness and provide a taxonomy of all tested operating systems (both in the Windows and UNIX world, most of them are exposed). We then present a custom static analyzer for this class of defects based on the HAVOC framework, a heap-aware verifier for C programs, developed in the RISE team at Microsoft Research. We have deployed the analyzer on multiple kernel components, some of them reaching one million lines of C code. The analyzer produces a reasonable amount of warnings without any complex configuration. Finally, we generalize our analysis technique by characterizing what happens when the size of heap chunks is in the neighbourhood of zero (e.g. near-zero allocations) and give another example of fixed remote bug. We emphasize that this weakness should not be considered as a new class of vulnerabilities (such as buffer overflow), but rather a new type of code defect in the same style as integer overflows, as many occurrences are legit and do not lead to a bug.

About us

Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.


Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.


To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.

Flattr this Click here to lend your support to: Keep live SecDocs for an year and make a donation at www.pledgie.com !