In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray.[1] In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process's heap and fill the bytes in these blocks with the right values.
A heap spray does not actually exploit any security issues but it can be used to make a vulnerability easier to exploit. A heap spray by itself cannot be used to break any security boundaries: a separate security issue is needed.
Exploiting security issues is often hard because various factors can influence this process. Chance alignments of memory and timing introduce a lot of randomness (from the attacker's point of view). A heap spray can be used to introduce a large amount of order to compensate for this and increase the chances of successful exploitation. Heap sprays take advantage of the fact that on most architectures and operating systems, the start location of large heap allocations is predictable and consecutive allocations are roughly sequential. This means that the sprayed heap will roughly be in the same location each and every time the heap spray is run.
Exploits often use specific bytes to spray the heap, as the data stored on the heap serves multiple roles. During exploitation of a security issue, the application code can often be made to read an address from an arbitrary location in memory. This address is then used by the code as the address of a function to execute. If the exploit can force the application to read this address from the sprayed heap, it can control the flow of execution when the code uses that address as a function pointer and redirects it to the sprayed heap. If the exploit succeeds in redirecting control flow to the sprayed heap, the bytes there will be executed, allowing the exploit to perform whatever actions the attacker wants. Therefore, the bytes on the heap are restricted to represent valid addresses within the heap spray itself, holding valid instructions for the target architecture, so the application will not crash. It is therefore common to spray with a single byte that translates to both a valid address and a NOP or NOP-like instruction on the target architecture. This allows the heap spray to function as a very large NOP sled (for example, 0x0c0c0c0c is often used as non-canonical NOP[2])
Heap sprays have been used occasionally in exploits since at least 2001,[3] [4] but the technique started to see widespread use in exploits for web browsers in the summer of 2005 after the release of several such exploits which used the technique against a wide range of bugs in Internet Explorer.[5] [6] [7] [8] [9] The heap sprays used in all these exploits were very similar, which showed the versatility of the technique and its ease of use, without need for major modifications between exploits. It proved simple enough to understand and use to allow novice hackers to quickly write reliable exploits for many types of vulnerabilities in web browsers and web browser plug-ins. Many web browser exploits that use heap spraying consist only of a heap spray that is copy-pasted from a previous exploit combined with a small piece of script or HTML that triggers the vulnerability.
Heap sprays for web browsers are commonly implemented in JavaScript and spray the heap by creating large strings. The most common technique used is to start with a string of one character and concatenate it with itself over and over. This way, the length of the string can grow exponentially up to the maximum length allowed by the scripting engine. Depending on how the browser implements strings, either ASCII or Unicode characters can be used in the string. The heap spraying code makes copies of the long string with shellcode and stores these in an array, up to the point where enough memory has been sprayed to ensure the exploit works.
Occasionally, VBScript is used in Internet Explorer to create strings by using the String function.
In July 2009, exploits were found to be using ActionScript to spray the heap in Adobe Flash.[10] [11]
Though it has been proven that heap-spraying can be done through other means, for instance by loading image files into the process,[12] this has not seen widespread use (as of August 2008).
In September 2012, a new technique was presented on EuSecWest 2012.[13] Two CORE researchers, Federico Muttis and Anibal Sacco, showed that the heap can be sprayed with a very high allocation granularity through the use of technologies introduced with HTML5. Specifically, they used the low-level bitmap interface offered by the canvas API, and web workers to do it more quickly.