Read the Vmem Bonwick paper
http://www.cs.dartmouth.edu/~sergey/cs258/bonwick01.pdf . Compare it
with the http://www.cs.dartmouth.edu/~sergey/cs258/bonwick94.pdf to
see how it developed from Kmem to Vmem.

====== Heap Exploitation Reading ======

--- Classic Techniques --- 

The two classic Phrack papers that exploited malloc's boundary tags
(see Vmem paper):

Phrack 57:9 "Once upon a free()":
http://www.phrack.com/issues.html?issue=57&id=9

Phrack 57:8 "Vudo malloc tricks":
http://www.phrack.com/issues.html?issue=57&id=8

A summary of these and other exploitation techniques:
Phrack 61:6 "Advanced Doug lea's malloc exploits"
http://www.phrack.com/issues.html?issue=61&id=6

(the above referring to http://g.oswego.edu/dl/html/malloc.html)

--- Recent Advances ---

"Heap Feng-shui" by Alex Sotirov:
http://www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf

(Explains how the memory allocator is an environment to program with
a series of memory allocation requests, to shape the heap's chunks
to configurations amenable to attack). 

Phrack 68:10 "Pseudomonarchia jemallocum/The false kingdom of
jemalloc, or On exploiting the jemalloc memory manager", argp & huku:
http://www.phrack.org/issues.html?issue=68&id=10

(Features exploitation of external boundary tags).

--- more to follow ---