Writing Security Tools and Exploits

Chapter 4: Exploits: Heap

Introduction

In addition to stack-based overflows (discussed in Chapter 3), another important type of memory allocation is from the buffers allocated to heap overflows .

The heap is an area of memory utilized by an application and allocated dynamically at runtime. It is common for buffer overflows to occur in the heap memory space, and exploitation of these bugs is different from stack-based buffer overflows. Since 2000, heap overflows have been the most prominent software security bugs. Unlike stack overflows, heap overflows can be very inconsistent and have varying exploitation techniques and consequences. This chapter explores how heap overflows are introduced into applications, how they can be exploited, and how to protect against them.

Heap memory is different from stack memory in that it is persistent between functions, with memory allocated in one function remaining allocated until explicitly freed. This means that a heap overflow can occur but not be noticed until that section of memory is used later. There is no concept of saved EIP in relation to a heap, but other important things are stored in the heap and can be broken by overflowing dynamic buffers.

Simple Heap Corruption

As previously mentioned, the heap is an area in memory that is used for the dynamic allocation of data. During this process, address space is usually allocated in the same segment as the stack, and grows towards the stack from higher addresses to lower addresses. Figure 4.1 illustrates the heap and stack's relative positions in memory.


Figure 4.1:

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Network Security Platforms
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.