# Automatic Techniques to Systematically Discover New Heap Exploitation Primitives *Insu Yun† Dhaval Kapil‡ Taesoo Kim† † Georgia Institute of Technology ‡ Facebook* ## Abstract This paper presents an automatic tool, ARCHEAP, to systematically discover the unexplored heap exploita- tion primitives, regardless of their underlying implementa- tions. The key idea of ARCHEAP is to let the computer au- tonomously explore the spaces, similar in concept to fuzzing, by specifying a set of common designs of modern heap allo- cators and root causes of vulnerabilities as models, and by providing heap operations and attack capabilities as actions. During the exploration, ARCHEAP checks whether the com- binations of these actions can be potentially used to construct exploitation primitives, such as arbitrary write or overlapped chunks. As a proof, ARCHEAP generates working PoC that demonstrates the discovered exploitation technique. ## Heap background * tcache: introduced in ptmal- loc2 to improve the performance with a per-thread cache, its security was improperly evaluated ## Heap Abstract Model ### Abstracting Heap Exploitation 1) Types of bugs. Four common types of heap-related bugs instantiate exploitation: * Overflow (OF): Writing beyond an object boundary. * Off-by-one (O1): Overwriting the last byte of the next consequent chunk * Off-by-one NULL (O1N) * Write-after-free (WF): Reusing a freed object. * Arbitrary free (AF): Freeing an arbitrary pointer. * Double free (DF): Freeing a reclaimed object.