What is a Heap Spraying Attack?

A method for helping to exploit weaknesses in computer systems is called "heap spraying." The reason it is known as "spraying the heap" is that it entails writing several bytes at different locations throughout the heap. Programmers are given access to a sizable pool of memory called the heap. 

 

To create a wall with the same color throughout, the fundamental concept is comparable to spray painting a wall. The heap is "sprayed" like a wall such that its whole memory "surface" is covered in bytes of a consistent "color," or color.

 

Because this form of attack often begins at a preset position in memory, the heap is exposed to it. The purpose of the attack is to make sure that the bytes may be used as the vector of another attack at a later time. 

 

A pointer reference can then be used by the malicious program to execute any code. The likelihood that the pointer references the code is extremely high if the code to be executed is splattered all over the heap. So, rather than being a genuine attack, the heap spray increases the likelihood that future vulnerabilities will be successful.

 

Heap spraying was initially recognized as a method in the early 2000s and is often carried out on the web browser. JavaScript, VBScript, and HTML5 are used to show heap spraying attacks.

 

Also Read | Everything About Cybersecurity Threats, Attacks and its Types

 

What are Heap spraying attacks?

 

A sort of cyberattack known as "heap spraying" involves the attacker using the capacity to write a string of bytes in the memory for the active application at multiple locations throughout the heap. The primary goal of the attack is to make sure that the bytes may be used later as the vector of a different attack.

 

Heap spraying is a method used in exploits to enable the execution of arbitrary code. The goal is to deliver a shellcode to a known location within the targeted application so that it may be executed by exploiting a weakness. The heap spray, a section of an exploit's source code, employs this approach.

 

Developers encounter several difficulties when implementing dynamic memory managers, such as heap fragmentation. Allocate memory in units with a predetermined size as a standard approach. A heap manager often has one or more reserved pools that are used to allocate these pieces along with its preferences for chunk size.

 

By continually forcing a targeted process to allocate memory with the necessary data block by block, heap spraying hopes that one of the allocations will result in shellcode being placed at the necessary address (without checking any conditions).

 

An existing vulnerability can be made easier to attack by using a heap spray, which itself does not exploit any security flaws. Understanding how attackers employ the heap spraying approach is crucial in order to know how to counter it. 

 

How Does Heap Spraying Technique work?

 

In a heap spraying attack, there are two main phases:

 

1. Allocation of memory stage. Many memory allocations in fixed-size chunks with the same content are continually made by some flows.

 

2. Completing the task. In one of these heap allocations, the process memory is in charge.

 

As you can see, a heap spray exploits approach resembles continuous spam in the form of uniformly sized pieces of the same material. One of these pieces receives control if a heap spraying attack is successful. The ability to create large amounts of memory in the target process, filling those allocations with similar data, is necessary for the malicious actors to carry out this attack.

 

The most typical heap spraying attacks target compromising web app weaknesses, therefore this criterion could appear too aggressive. An attack using a heap spraying technique might affect any program that supports scripting languages, such as Microsoft Office and its Visual Basic feature.

 

As a result, it makes sense to anticipate an attack in the context of a single flow given that scripts are often performed in a single flow. The use of programming languages is not the only way that attackers may carry out a heap spraying attack. Additionally, you may employ capabilities made available by HTML5 to spray the heap with very finely-grained allocations and load image files into the process.

 

When a flow fills the memory during the memory allocation step, suspicions are raised. You should consider whether there could be false positives, though. For instance, there can be scripts or code in your program, such as arrays or unique memory pools, that allot memory in a cycle. The likelihood that a script would allocate memory in the exact same heap pieces is low, yes. However, it is not a necessary condition for heap spraying.

 

It always makes sense to examine heap allocations, which have control over the process memory, so you should instead focus on the execution phase. As a result, we'll concentrate on allocated RAM that could include shellcode in our discussion.

 

You may look at the most recent flow allocations that allocated a certain memory chunk, including the nearby allocations in the flow, to tell the execution of the heap spray shellcode from the normal JIT code generation. Keep in mind that heaps always have the execute permission when memory is allocated, allowing attackers to employ the heap spraying approach.

 

Also Read | What is Attack Surface Management?

 

How to mitigate Heap spraying attacks?

 

We need to manage the process of gaining control over memory, implement hooks, and make use of other security methods to properly combat heap spraying threats.

 

The following three actions will protect your application against heap spray execution:

 

• NtAllocateVirtualMemory call interception

• Attempting to allocate executable memory unexecutable

• setting up a structured exception handler (SEH) to deal with exceptions that arise from the execution of non-executable memory

 

Let's now examine each stage in further detail:

---

How to mitigate Heap spraying attacks?

---

 

1. Getting memory access:

 

Both tracking the target process's memory allocation and spotting the use of dynamically allocated memory are necessary. The latter method presumes that memory allocated by heap spraying has to execute rights. 

 

When memory is attempted to be executed that has not been granted the execute permission and Data Execution Prevention (DEP) is enabled (for x64, it is always active by default), an exception access violation is produced.

 

Either a malicious shellcode may anticipate being run in an application without DEP (unlikely) or it can make use of a scripting engine that by default allocates memory in a heap with the execute permission.

 

The execution of malicious code can be stopped by intercepting an allocation of executable memory and rendering it inoperable in a way that the exploit that created it is unaware of. In this way, a system exception will be raised whenever the exploit believes it is safe to perform a spray and tries to give the sprayed heap control. Once everything is done, we may examine this system exception.

 

Let's first examine how memory work appears to a user mode process when it occurs in Windows. Following is a typical allocation for a large memory volume:

 

HeapAlloc > RtlAllocateHeap > NtAllocateVirtualMemory > Sysenter

 

Where:

 

• Allocating a block of memory from a heap is done by the methods HeapAlloc and RtlAllocateHeap.
• It's not recommended to call NtAllocateVirtualMemory directly because it's a low-level function that's a component of the NTDLL.
• It is possible to enter kernel mode by using the CPU instruction sysenter.
• If we are successful in replacing NtAllocateVirtualMemory, we will be able to monitor heap allocation activity in the process memory.

 

2. Applying hooks:

 

We'll use the mhook library to muck with how the target function, NtAllocateVirtualMemory, is executed. Both the original and the updated libraries are available.

 

The mhook library is straightforward to use: Calling Mhook SetHook is required to implement a hook that you must build with the same signature as the target function. A jmp instruction on the function body is used to replace the function prologue when hooks are to be used. You shouldn't encounter any difficulty if you've used hooks before.

 

3. Security mechanisms:

 

We can reduce heap spraying attacks using two security mechanisms: structured exception handling and data execution prevention.

 

The error management system used by the Windows operating system is called structured exception handling, or SEH. When an error occurs (such as division by zero), the application's control is transferred to the kernel, which locates a chain of handlers and calls each one one by one until the exception is "handled" by one of the handlers. In most cases, the kernel will subsequently permit the flow to resume its execution from the point at which the issue was discovered.

 

From the perspective of the process, DEP appears as the emergence of an SEH exception with the EXCEPTION ACCESS VIOLATION fault code during memory execution.

 

The two dangers for x86 apps are as follows:

 

• DEP can be disabled in the system settings.
• Two possible attack methods—handler indicator overwriting and stack substitution—are available since a reference to the list of handlers is maintained in the stack.
• x64 apps are exempt from these issues.

 

 

4. Preventing heap spraying attacks:

 

With the help of some codes, we were able to halt an application as it was using dynamic memory and obtain a history of recent allocations. We will use this data to determine whether our application has been attacked. Let's look at the first two stages of our heap spraying detection method:

 

We must first choose how many allocations to save and how many of them to examine in the event of an exception. Recall that we're only concerned with allocations that are the same size. Since it's unlikely that this is a heap spraying attack, we may permit a flow to continue running even if the memory in it was allocated in various sizes.

 

Furthermore, since a heap spraying attack necessitates continuous memory allocations, we can completely rule out the possibility of one when there are gaps in the boundaries of an allocation.

 

To identify heap spray, we must next choose the criteria. Searching for the same content across several memory allocations is a useful method for spotting heap sprays. Most likely, these repeating passages are shellcode copies. Let's take the example of 10,000 allocations with the same data for the same displacement. The best course of action in this situation is to begin your search from the position of the control-received allocation.

 

To eliminate pointless tests that might drastically slow down your application, we advise utilizing the method mentioned and paying attention to the following four criteria:

 

• Set the total amount of memory allocations that were stored for each thread.

 

• Set the minimum size for memory allocations that are preserved. One page-sized allocation that is intercepted will result in unreasonably saved RAM. Huge values chosen for a particular heap manager of a particular application are typically used in heap spraying operations. Hundreds and perhaps thousands of pages feel more pertinent.

 

• Decide how many most recent allocations will be examined in the event of an exception. 

 

• The efficiency of an application will decrease if we process too many allocations since each time dynamic memory is executed, we must read the contents of sizable areas, which will decrease app efficiency.

 

• Establish the shell coders intended minimum size. False positives will grow if the size of the code we're looking for is too little.

 

Conclusion:

 

Heap spraying is a method employed in exploits that entails writing a certain sequence of bytes at different locations inside a heap, or memory allocated for use by applications. The process is similar to spray painting a wall to make it all the same color: the heap is "sprayed" to distribute its bytes evenly throughout its full memory "surface."