There are two types of overflows in computer programming, namely buffer overflow and heap overflow. In this post, our focus is on the second one i.e., the heap overflow. This is nothing but a variant of the buffer overflow, and this type of overflow occurs in the data area of the heap. The manner in which these overflows can be exploited is quite different from the exploitation methods of the stack – based overflows. The allocation of the heap memory takes place dynamically during the execution time of the application. It usually stores the program data. Specific ways are used for corrupting the data during exploitation. This results in the program overwriting the internal structures like the pointers in linked lists.
There is a technique called the canonical heap overflow technique that can be used for overwriting the malloc Meta data which is dynamic memory allocation linkage. The pointer exchange resulting because of this overwriting is used for overwriting the pointer of a program function. As an example for this, consider two Linux buffers allocated adjacent to each other on the data area of heap. When the data is written across the boundary of the first one, it causes the Meta data in the second to be overwritten. Here the in – use bit of the second buffer can be set to 0 and the length can be set to a negative value that is small enough to copy the null bytes. When the free() is called by the program with the first buffer, it will try to merge the two buffers as one. The buffer that will be freed will then hold the pointers BK and FD in 8 bytes. The FD contains the BK and can be used in pointer overwriting. But there are several reasons as to why this is not possible.
Below mentioned are the heap overflow consequences:
- Accidental overflow can cause the data to corrupt or the program to behave in an unexpected way. This can be caused by any process that uses the memory area that is affected from the overflow problem.
- The operating systems that have no protection for memory can be affected by any process.
- A deliberate exploitation of the overflow can cause the alteration of the data and the way a program using that data executes. An example is of the Microsoft JPEG GDI+ vulnerability MS04 – 028. Heap overflows are often used by the iOS jail breaking for gaining code to utilize it for the kernel exploitation.
There are three ways in windows and linux following which can prevent the occurrence of the heap overflows. The other operating systems do not provide all these three. These ways are:
- Preventing the payload execution by means of code and data separation with hardware features.
- Introducing randomization so that there is no fixed offset for the heap.
- Introducing sanity checks in the heap manager.
The GNU libc from version 2.3.6 and onwards comes with built – in protection for the heap overflows. It also has capability of detecting the overflows. For example, when the unlink function is called, it checks for the consistency of the pointer. However these protections hold good only for the old – mannered exploitations and so are not perfect for the modern operating systems. Linux includes support for the NX – bit and ASLR since 2004. The Microsoft OS comes with protection against heap overflows in windows XP, server 2003 and service packs. The later OS include the following:
- Heap entry meta data randomization
- Removal of the data structures that are commonly targeted.
- Randomized heap base address
- Algorithm variation etc.
There is a technique called the canonical heap overflow technique that can be used for overwriting the malloc Meta data which is dynamic memory allocation linkage. The pointer exchange resulting because of this overwriting is used for overwriting the pointer of a program function. As an example for this, consider two Linux buffers allocated adjacent to each other on the data area of heap. When the data is written across the boundary of the first one, it causes the Meta data in the second to be overwritten. Here the in – use bit of the second buffer can be set to 0 and the length can be set to a negative value that is small enough to copy the null bytes. When the free() is called by the program with the first buffer, it will try to merge the two buffers as one. The buffer that will be freed will then hold the pointers BK and FD in 8 bytes. The FD contains the BK and can be used in pointer overwriting. But there are several reasons as to why this is not possible.
Below mentioned are the heap overflow consequences:
- Accidental overflow can cause the data to corrupt or the program to behave in an unexpected way. This can be caused by any process that uses the memory area that is affected from the overflow problem.
- The operating systems that have no protection for memory can be affected by any process.
- A deliberate exploitation of the overflow can cause the alteration of the data and the way a program using that data executes. An example is of the Microsoft JPEG GDI+ vulnerability MS04 – 028. Heap overflows are often used by the iOS jail breaking for gaining code to utilize it for the kernel exploitation.
There are three ways in windows and linux following which can prevent the occurrence of the heap overflows. The other operating systems do not provide all these three. These ways are:
- Preventing the payload execution by means of code and data separation with hardware features.
- Introducing randomization so that there is no fixed offset for the heap.
- Introducing sanity checks in the heap manager.
The GNU libc from version 2.3.6 and onwards comes with built – in protection for the heap overflows. It also has capability of detecting the overflows. For example, when the unlink function is called, it checks for the consistency of the pointer. However these protections hold good only for the old – mannered exploitations and so are not perfect for the modern operating systems. Linux includes support for the NX – bit and ASLR since 2004. The Microsoft OS comes with protection against heap overflows in windows XP, server 2003 and service packs. The later OS include the following:
- Heap entry meta data randomization
- Removal of the data structures that are commonly targeted.
- Randomized heap base address
- Algorithm variation etc.
No comments:
Post a Comment