Notes on HackOlympus

Software Hardening

Mon, 15 Jun 2026 00:00:00 +0000

Memory Tagging

tag memory with unique “color” everytime malloc() or free() is called.
encode tag inside ptrs (returned by malloc) :
```
if pointer_tag != memory_tag:
 crash()
```

2 problems: performance (due to repeated checking). User inconvinience (buggy apps will straight up crash).
check if chip supports ADB adb shell grep mte /proc/cpuinfo
vulnerable to side-channel attacks
64 bit ARM pointer layout:

Bit: 63 60 59 56 55 0
 +--------------+--------------+---------------------------+
Pointer: | upper nibble | logical tag | actual virtual address |
 +--------------+--------------+---------------------------+
 4 bits

uint8_t logical_tag = (pointer >> 56) & 0xF;
we can allocate MTE memory/page by using PROT_MTE allocation tag in MTE supported hardware.
multiple behaviors possible in case of tag mismatch:

ignore - default mode.
synchronous - SIGSESV called right there and then when the mismatch happens and process halts.
asynchronous - SIGSEV is recorded and raised after process has ended. Memory access doesn’t occur. Not good for debugging, will not return fault address.
asymmetric mode :
- read with mismatched tag - handled synchronously
- write with mismatched tag - handled asynchronously

 if (pointer_tag != memory_tag) {
 if (operation == READ) {
 raise_precise_SIGSEGV_now();
 } else if (operation == WRITE) {
 record_pending_fault();
 continue_execution();
 }
}

References:

CP notes

Mon, 19 Jan 2026 18:28:12 -0700

Template

A common rule of thumb:

About $10^8$ operations per second

Rough feasibility guide ($n$ = input size):

$n$ upper bound	Possible complexities
$10$	$O(n!)$, $O(n^7)$, $O(n^6)$
$20$	$O(2^n \cdot n)$, $O(n^5)$
$80$	$O(n^4)$
$400$	$O(n^3)$
$7{,}500$	$O(n^2)$
$7 \cdot 10^4$	$O(n \sqrt{n})$
$5 \cdot 10^5$	$O(n \log n)$
$5 \cdot 10^6$	$O(n)$
$10^{18}$	$O(\log^2 n)$, $O(\log n)$, $O(1)$

Fundamental data structures

vector
multiset stores elements in sorted order and allows duplicates.

Key properties:

Logarithmic insertion and deletion
Efficient access to smallest or largest elements
Supports queries such as “largest value $\leq X$”

Use a multiset when:

Pwning

Mon, 19 Jan 2026 17:57:48 -0700

ROP

Stack pivoting

Commonly used in places where you can only execute 1 or 2 gadgets (basically limited gadget execution) mainly because there is some metadata on stack you can’t corrupt (in cases like FSOP) or stack size is small.

One gadget

one_gadget to pop shell GitHub

angrop

easilly find rop chain

GitHub

Heap

malloc never clears the user data unless calloc is used
glibc-2.32 onwards have safe-linking.

safe-linking

fd pointers in tcache and fastbins are mangled to make exploitation harder.
straight-forward principle: use randomness from ASLR to mangle ptrs.
heap leak is needed to break safe-linking.
target address should be 0x10 byte aligned

def mangle(pos, ptr):
 """
 pos: int = position of heap chunk
 ptr: int = ptr we need. This should be 0x10 byte aligned
 """
 return (pos >> 12) ^ ptr

tcache

The free bin is a single linked list (LIFO based).
Used to store small freed allocations .
7 allocations per bin.
ptr = malloc(size); free(ptr) with size <= 0x408 will go in tcache.
“thread” cache. So one tcache per thread.

NOTE-1: >= glibc-2.32 requires heap leak for breaking safe-linking.

Mon, 01 Jan 0001 00:00:00 +0000

Firefox notes

Mozilla graphics architecture

https://firefox-source-docs.mozilla.org/gfx/RenderingOverview.html