Heap overflow
Encyclopedia
A heap overflow is a type of buffer overflow
that occurs in the heap data area. Heap overflows are exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer.
, this could be any process on the system.
A deliberate exploit may result in data at a specific location being altered in an arbitrary way, or in arbitrary code being executed.
The Microsoft
JPEG
GDI+
vulnerability MS04-028 is an example of the danger a heap overflow can represent to a computer user.
The iPhone 3Gs and the PS3 have both been exploited by heap overflows to allow homebrew
.
includes protections that can detect heap overflows after the fact, for example by checking pointer consistency when calling unlink. While those protections protect against old-style exploits, they are not perfect, as described in The Malloc Maleficarum, further described in Malloc Des-Maleficarum.
Microsoft Windows
operating systems implement protections against heap overflows since Windows XP SP2 such as safe unlinking and cookies. It also can mitigate these threats through the use of Data Execution Prevention
(DEP) and ASLR.
Other allocators such as the DHard (previously DieHard) allocator can be used to protected against heap overflows and reduces the likelihood of them having any effect on a running program.
Buffer overflow
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
that occurs in the heap data area. Heap overflows are exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer.
Consequences
An accidental overflow may result in data corruption or unexpected behavior by any process which uses the affected memory area. On operating systems without memory protectionMemory protection
Memory protection is a way to control memory access rights on a computer, and is a part of most modern operating systems. The main purpose of memory protection is to prevent a process from accessing memory that has not been allocated to it. This prevents a bug within a process from affecting...
, this could be any process on the system.
A deliberate exploit may result in data at a specific location being altered in an arbitrary way, or in arbitrary code being executed.
The Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
JPEG
JPEG
In computing, JPEG . The degree of compression can be adjusted, allowing a selectable tradeoff between storage size and image quality. JPEG typically achieves 10:1 compression with little perceptible loss in image quality....
GDI+
Graphics Device Interface
The Graphics Device Interface is a Microsoft Windows application programming interface and core operating system component responsible for representing graphical objects and transmitting them to output devices such as monitors and printers....
vulnerability MS04-028 is an example of the danger a heap overflow can represent to a computer user.
The iPhone 3Gs and the PS3 have both been exploited by heap overflows to allow homebrew
Homebrew
Homebrew may refer to:* Homebrewing of alcoholic beverages and other drinks* Homebrew * Homebrew - A package manager for Mac OS X* Homebrew ** Wii homebrew...
.
Detection and Prevention
Since version 2.3.6 the GNU libcGNU C Library
The GNU C Library, commonly known as glibc, is the C standard library released by the GNU Project. Originally written by the Free Software Foundation for the GNU operating system, the library's development has been overseen by a committee since 2001, with Ulrich Drepper from Red Hat as the lead...
includes protections that can detect heap overflows after the fact, for example by checking pointer consistency when calling unlink. While those protections protect against old-style exploits, they are not perfect, as described in The Malloc Maleficarum, further described in Malloc Des-Maleficarum.
Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
operating systems implement protections against heap overflows since Windows XP SP2 such as safe unlinking and cookies. It also can mitigate these threats through the use of Data Execution Prevention
Data Execution Prevention
Data Execution Prevention is a security feature included in modern operating systems.It is known to be available in Linux, Mac OS X, and Microsoft Windows operating systems and is intended to prevent an application or service from executing code from a non-executable memory region. This helps...
(DEP) and ASLR.
Other allocators such as the DHard (previously DieHard) allocator can be used to protected against heap overflows and reduces the likelihood of them having any effect on a running program.
External links
- http://doc.bughunter.net/buffer-overflow/heap-corruption.html
- Heap Overflow article at Heise Security
- Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass
See also
- Buffer overflowBuffer overflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
- Stack overflowStack overflowIn software, a stack overflow occurs when too much memory is used on the call stack. The call stack contains a limited amount of memory, often determined at the start of the program. The size of the call stack depends on many factors, including the programming language, machine architecture,...
- Stack buffer overflowStack buffer overflowIn software, a stack buffer overflow occurs when a program writes to a memory address on the program's call stack outside of the intended data structure; usually a fixed length buffer....
- Exploit
- ShellcodeShellcodeIn computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. Shellcode is commonly written in...