Editing Heap overflow

{{Short description|Software anomaly}}
A '''heap overflow''', '''heap overrun''', or '''heap smashing''' is a type of [[buffer overflow]] that occurs in the [[Heap (programming)|heap]] data area. Heap overflows are exploitable in a different manner to that of [[stack overflow|stack-based overflows]]. Memory on the heap is [[C dynamic memory allocation|dynamically allocated]] at [[Runtime (program lifecycle phase)|runtime]] and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as [[linked list]] [[Pointer (computer programming)|pointers]]. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as <code>malloc</code> metadata) and uses the resulting pointer exchange to overwrite a program [[function pointer]].

For example, on older versions of [[Linux]], two buffers allocated next to each other on the heap could result in the first buffer overwriting the second buffer's metadata. By setting the in-use bit to zero of the second buffer and setting the length to a small negative value which allows null bytes to be copied, when the program calls <code>free()</code> on the first buffer it will attempt to merge these two buffers into a single buffer. When this happens, the buffer that is assumed to be freed will be expected to hold two [[Pointer (computer programming)|pointers]] FD and BK in the first 8 bytes of the formerly allocated buffer. BK gets written into FD and can be used to overwrite a pointer.

==Consequences==

An accidental overflow may result in [[data corruption]] or unexpected behavior by any process that accesses the affected memory area. On [[operating system]]s without [[memory protection]], this could be any process on the system.

For example, a [[Microsoft]] [[JPEG]] [[Graphics Device Interface|GDI+]] buffer overflow vulnerability could allow remote execution of code on the affected machine.<ref>{{cite web
|url = http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx 
|title = Microsoft Security Bulletin MS04-028, Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
|website = [[Microsoft]]
|date = 14 Sep 2004
|access-date = 29 Mar 2016}}</ref>

[[iOS jailbreaking]] often uses heap overflows to gain [[arbitrary code execution]].

==Detection and prevention==

As with buffer overflows there are primarily three ways to protect against heap overflows. Several modern [[operating system]]s such as Windows and [[Linux]] provide some implementation of all three.

* Prevent execution of the payload by separating the code and data, typically with hardware features such as [[NX bit|NX-bit]]
* Introduce randomization so the heap is not found at a fixed offset, typically with [[kernel (operating system)|kernel]] features such as ASLR ([[Address Space Layout Randomization]])
* Introduce sanity checks into the heap manager

Since version 2.3.6 the [[GNU C Library|GNU libc]] includes protections that can detect heap overflows after the fact, for example by checking [[Pointer (computer programming)|pointer]] consistency when calling <code>unlink</code>. However, those protections against prior exploits were almost immediately shown to also be exploitable.<ref>{{cite web
|url = http://packetstormsecurity.org/files/view/40638/MallocMaleficarum.txt
|title = The Malloc Maleficarum
|date = Oct 2005
|access-date = 24 April 2017}}</ref><ref>{{cite web
|url = http://www.phrack.org/issues.html?issue=66&id=10
|title = MALLOC DES-MALEFICARUM
|date = 2009
|access-date = 29 Mar 2016}}</ref> In addition, Linux has included support for [[ASLR]] since 2005, although [[PaX]] introduced a better implementation years before. Also Linux has included support for NX-bit since 2004.

[[Microsoft]] has included protections against heap resident buffer overflows since April 2003 in [[Windows Server 2003]] and August 2004 in [[Windows XP]] with [[Windows XP#Service Pack 2|Service Pack 2]]. These mitigations were safe unlinking and heap entry header cookies. Later versions of Windows such as [[Windows Vista|Vista]], Server 2008 and [[Windows 7]] include: Removal of commonly targeted data structures, heap entry metadata randomization, expanded role of heap header cookie, randomized heap [[base address]], [[function pointer]] encoding, termination of heap corruption and algorithm variation. Normal Data Execution Prevention (DEP) and ASLR also help to mitigate this attack.<ref name="Microsoft Security Research & Defense">{{cite web
| url = https://msrc.microsoft.com/blog/2009/08/preventing-the-exploitation-of-user-mode-heap-corruption-vulnerabilities/
| title = Preventing the exploitation of user mode heap corruption vulnerabilities
| publisher = Technet blog, Microsoft Security Research & Defense
| date = 4 Aug 2009
| access-date = 29 Mar 2016}}</ref>

The most common detection method for heap overflows is online dynamic analysis. This method observes the runtime execution of programs to identify vulnerabilities through the detection of security breaches.<ref>{{Cite book |title=Proceedings of the Second Workshop on Real, Large Distributed Systems: December 13, 2005, San Francisco, CA, USA |date=2005 |publisher=USENIX Association |isbn=978-1-931971-40-9 |editor-last=USENIX Association}}</ref>

==See also==
* [[Buffer overflow]]
* [[Heap spraying]]
* [[Stack buffer overflow]]
* [[Exploit (computer security)|Exploit]]
* [[Shellcode]]

== References ==
{{reflist}}

==External links==
* [http://phrack.org/issues/57/8.html#article Vudo malloc tricks]
* [http://www.h-online.com/security/features/A-Heap-of-Risk-747161.html Heap Overflow article at Heise Security]
* [http://www.ptsecurity.com/download/defeating-xpsp2-heap-protection.pdf Defeating Microsoft Windows XP SP2 Heap protection and DEP bypass] {{Webarchive|url=https://web.archive.org/web/20131101140750/http://www.ptsecurity.com/download/defeating-xpsp2-heap-protection.pdf |date=2013-11-01 }}

[[Category:Computer security exploits]]
[[Category:Software anomalies]]

[[de:Heap Overflow]]