Abstract

Everyone loves a good heap exploit—elegant, timeless, and deeply satisfying. But what happens when you take the game to Android userland applications?

Before Android 11, jemalloc was the go-to heap allocator, offering relatively straightforward exploitation opportunities. Then came Scudo—a hardened allocator designed to shut down traditional heap-based attacks. While researchers have reverse-engineered Scudo and published unofficial documentation, little attention has been paid to developing new exploitation techniques against it.

This talk will introduce vulnerability researchers to the inner workings of Scudo, explaining its security principles, how it avoids the pitfalls of other allocators, and what exploitation techniques have been uncovered so far. We'll compare Scudo against ptmalloc2 (the widely known GLIBC allocator), break down successful attack strategies, and analyze how certain mitigations have evolved. Special attention will be given to Scudo's deployment on Android, particularly its integration with Zygote, which has unexpectedly enabled new exploitation techniques.

Finally, we'll dive into the cutting edge: what's left to exploit, where the cracks are forming, and how bypassing a key mitigation might be just within reach.