Heap Hardening

The Heap has been hardened since iOS6 to prevent well-known attack strategies. Three mitigations were put in place: This is specific to the zone allocator (, used by ,  ,  ).
 * Pointer validation
 * Block poisoning
 * Freelist integrity verification

Pointer Validation
The goal is to prevent invalid pointers being entered into  zone's freelist. Additional checks are performed on pointers passed to. This is also performed as part of validation on pointers in freelist during allocation.

The pointer is verified to be in kernel memory ( - ). If  is set in zone, no more validation is performed (currently ,  ,  ). If the pointer is within kernel image, allow, otherwise ensure pointer is within.

Block poisoning
The goal is to prevent UAF-style attacks. The stategy involves filling blocks with sentinel value when being freed. This is done by, called from   and only on selected blocks with block sizes smaller than cache line size of processor (32 bytes on A5/A5X devices) and can be overridden with " ", " ", " " boot parameters.

Freelist integrity verification
The goal is to prevent heap overwrites from being exploitable. Two random values are generated at boot time, 32-bit cookie for "poisoned blocks" and 31-bit cookie (low bit cleared) for "non-poisoned blocks". The value serves as a validation cookie.

The freelist pointers at the top of a free block are since iOS6 validated by. This check is done by. The encoded next pointer is placed at the end of block XORed with "poisoned_cookie" or "non-poisoned cookie".

The  ensures   matches the encoded pointer at the end of the block and tries both cookies. If the poisoned cookie matches, it checks the whole block for modification of sentinel (0xdeadbeef) values and kernel panics if either check fails. The next pointer and cookie is replaced by  when allocated as possible information leak protection.