Skip to main content

Automatic Heap Layout Manipulation for Exploitation of Javascript Interpreters


Daniel Kroening

Suitable for

MSc in Computer Science
Mathematics and Computer Science, Part C
Computer Science and Philosophy, Part C
Computer Science, Part C


In order to exploit heap-based buffer overflows an exploit developer must place the target object relative to the source of the overflow. This has been automated for situations in which the starting state of the heap is known and the memory allocator behaves deterministically. However, the allocators found in the Javascript interpreters of modern web browsers behave non-deterministically. This project aims to develop automated heap layout manipulation for such situations. The goal will be to build a system that takes as input a proof-of-concept exploit that triggers memory corruption on the heap, and produces as output a new exploit that places an 'interesting' corruption target after the overflow source with a high degree of probability.

The proposed projects will expand on the work of the listed Dphil student (Sean Heelan).

Prerequisites: * (Required) Ability to comprehend large systems written in C++ * (Required) Familiarity with operating systems concepts such as virtual memory, heap allocators and low level security vulnerabilities * (Optional) Some knowledge of modern web browser internals * (Optional) Some knowledge of exploitation of memory corruption vulnerabilities