"Nozzle" counteracting 'heap spraying' memory exploits

The goal of any attack’s to get targeted computer to run exploit code supplied by the attacker. To achieve this, two things must happen: code must end up on computer, and computer must run that code. The earliest type of memory exploit took advantage of buffer-stack overflows. The newest, most popular weapon of choice for […]

The goal of any attack’s to get targeted computer to run exploit code supplied by the attacker. To achieve this, two things must happen: code must end up on computer, and computer must run that code. The earliest type of memory exploit took advantage of buffer-stack overflows. The newest, most popular weapon of choice for attackers is a technique known as “Heap spraying,” that works by allocating multiple objects containing attacker’s exploit code in program’s heap, the area of memory used for dynamic memory allocation. Many recent high-profile attacks, such as an Internet Explorer exploit in Dec 2008 and one of Adobe Reader in Feb 2009, were examples of heap spraying. Heap-spray attacks are difficult to detect reliably, but Microsoft researcher developed a tool “Nozzle” for identifying heap-spray attacks. At 18th Usenix Security Symposium in Montreal, they presented Nozzle: A Defense Against Heap-spraying Code Injection Attacks paper along with a live demo of their solution while on stage.

Full Article: Microsoft Research