In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process's heap and fill the bytes in these blocks with the right values.
A heap spray does not actually exploit any security issues but it can be used to make a vulnerability easier to exploit. A heap spray by itself cannot be used to break any security boundaries: a separate security issue is needed.
Exploiting security issues is often hard because various factors can influence this process. Chance alignments of memory and timing introduce a lot of randomness (from the attacker's point of view). A heap spray can be used to introduce a large amount of order to compensate for this and increase the chances of successful exploitation. Heap sprays take advantage of the fact that on most architectures and operating systems, the start location of large heap allocations is predictable and consecutive allocations are roughly sequential. This means that the sprayed heap will roughly be in the same location each and every time the heap spray is run.
Exploits often use specific bytes to spray the heap, as the data stored on the heap serves multiple roles. During exploitation of a security issue, the application code can often be made to read an address from an arbitrary location in memory. This address is then used by the code as the address of a function to execute. If the exploit can force the application to read this address from the sprayed heap, it can control the flow of execution when the code uses that address as a function pointer and redirect it to the sprayed heap. If the exploit succeeds in redirecting control flow to the sprayed heap, the bytes there will be executed, allowing the exploit to perform whatever actions the attacker wants. Therefore, the bytes on the heap are restricted to represent valid addresses within the heap spray itself, holding valid instructions for the target architecture, so the application will not crash. It is therefore common to spray with a single byte that translates to both a valid address and a NOP or NOP-like instruction on the target architecture. This allows the heap spray to function as a very large NOP sled (for example, 0x0c0c0c0c is often used as non-canonical NOP)
Heap sprays have been used occasionally in exploits since at least 2001, but the technique started to see widespread use in exploits for web browsers in the summer of 2005 after the release of several such exploits which used the technique against a wide range of bugs in Internet Explorer. The heap sprays used in all these exploits were very similar, which showed the versatility of the technique and its ease of use, without need for major modifications between exploits. It proved simple enough to understand and use to allow novice hackers to quickly write reliable exploits for many types of vulnerabilities in web browsers and web browser plug-ins. Many web browser exploits that use heap spraying consist only of a heap spray that is copy-pasted from a previous exploit combined with a small piece of script or HTML that triggers the vulnerability.
Occasionally, VBScript is used in Internet Explorer to create strings by using the String function.
Though it has been proven that heap-spraying can be done through other means, for instance by loading image files into the process, this has not seen widespread use (as of August 2008).
In September 2012, a new technique was presented on EuSecWest 2012. Two CORE researchers, Federico Muttis and Anibal Sacco, showed that the heap can be sprayed with a very high allocation granularity through the use of technologies introduced with HTML5. Specifically, they used the low-level bitmap interface offered by the canvas API, and web workers to do it more quickly.
Detection and prevention
- The Nozzle project from Microsoft Research aims to detect and prevent heap spraying.
- BuBBle is another countermeasure which could be considered to detect and prevent an attack triggered after spraying the heap
- NOP slide or NOP sled, a technique which is complementary to heap spraying
- Heap feng shui, a technique for manipulating heap layout
- JIT spraying
- corelanc0d3r (December 31, 2011). "Exploit writing tutorial part 11 : Heap Spraying Demystified". Corelan Team. Retrieved 15 January 2014.
- "cami": telnetd exploit code
- eEye Digital Security - Research
- InternetExploiter 1: MSIE IFRAME src&name parameter BoF exploit
- InternetExploiter 3: MSIE .ANI file "anih" header BoF exploit
- InternetExploiter 2: MSIE DHTML Object handling race condition exploit
- FrSIRT - Microsoft Internet Explorer javaprxy.dll COM Object Vulnerability / Exploit (Security Advisories)
- FrSIRT - Microsoft Internet Explorer "Msdds.dll" Remote Code Execution / Exploit (Security Advisories)
- Roee Hay: Exploitation of CVE-2009-1869
- FireEye Malware Intelligence Lab: Heap Spraying with Actionscript
- Michael Sutton & Greg MacManus, Punk Ode—Hiding Shellcode in Plain Sight, Black Hat 2006
- HTML5 Heap Spray. EUSecWest 2012
- Nozzle project from Microsoft Research aims to detect and prevent heap spraying