Browse Prior Art Database

Disrupting heap spraying using randomized prefix memory allocation Disclosure Number: IPCOM000245775D
Publication Date: 2016-Apr-07
Document File: 2 page(s) / 74K

Publishing Venue

The Prior Art Database


A method for disrupting heap spraying using randomized prefix memory allocation is disclosed.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 2

Disrupting heap spraying using randomized prefix memory allocation

Disclosed is a method for disrupting heap spraying using randomized prefix memory allocation. This may be accomplished by intercepting the lowest level of memory manager.

Heap spraying is an auxiliary technique used for exploiting processes. The object of heap spraying is to make sure that a predetermined address in the process memory will contain data chosen by the attacker, in order to facilitate the next attack phase which is typically a return oriented programming (ROP) chain. In order to carry out a successful heap spraying, the attacker needs to have a good understanding of the memory manager which is available for spraying, so that the attacker can calculate the offsets

within the allocation units that will land at the predetermined address. One known attempt to thwart heap spraying is to randomize the heap base address. However, it may still be possible that the heap will "realign" itself back to the regular allocation offsets. This may occur naturally if the memory allocation unit are large enough (for example, memory pages).

In a Microsoft Windows environment, the native memory manager has interfaces

VirtualAlloc/VirtualAllocEx and VirtualFree. These allocation and free functions may be intercepted (hooked) to pass control to additional code that executes prior to running the native code. The additional code adds a random amount to the size requested and returns the memory location to the caller using the random quantity as an offset. The additional code for freeing the memory calculates the original allocation address from the offset address and invokes the original memory release routine for the original address. This achieves randomization of the allocation starting address from the perspective of the application. Using this approach, heap spraying is not be able to force a specific address to contain the desired data, due to the random offsetting.

A subset of "exploitable" processes (e.g. browsers, Adobe Acrobat PDF Reader,

Adobe Flash player, etc.) may be monitored or all processes may be monitored. Each new monitored...