Philipp Mao, Elias Valentin Boschung, Marcel Busch, and Mathias Payer, EPFL
Awarded Best Paper!Most memory corruptions occur on the heap. To harden userspace applications and prevent heap-based exploitation, Google has developed Scudo. Since Android 11, Scudo has replaced jemalloc as the default heap implementation for all native code on Android. Scudo mitigates exploitation attempts of common heap vulnerabilities.
We present an in-depth study of the security of Scudo on Android by analyzing Scudo’s internals and systematizing Scudo’s security measures. Based on these insights we construct two new exploitation techniques that ultimately trick Scudo into allocating a chunk at an attacker’s chosen address. These techniques demonstrate — given adequate memory corruption primitives — that an attacker can leverage Scudo to gain arbitrary memory write. To showcase the practicality of our findings, we backport an n-day vulnerability to Android 14 and use it to exploit the Android system server.
Our exploitation techniques can be used to target any application using the Scudo allocator. While one of our techniques is fixed in newer Scudo versions, the second technique will stay applicable as it is based on how Scudo handles larger chunks.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
This content is available to:
author = {Philipp Mao and Elias Valentin Boschung and Marcel Busch and Mathias Payer},
title = {Exploiting {Android{\textquoteright}s} Hardened Memory Allocator},
booktitle = {18th USENIX WOOT Conference on Offensive Technologies (WOOT 24)},
year = {2024},
isbn = {978-1-939133-43-4},
address = {Philadelphia, PA},
pages = {211--227},
url = {https://www.usenix.org/conference/woot24/presentation/mao},
publisher = {USENIX Association},
month = aug
}
