1. Field of the Invention
This invention relates to electronic data processing. More particularly, this invention relates to security arrangements for protecting computers or computer systems against unauthorized activity.
2. Description of the Related Art
The meanings of certain acronyms and abbreviations used herein are given in Table 1.
TABLE 1Acronyms and AbbreviationsASLRAddress Space Layout RandomizationCPUCentral Processing UnitDEPData Execution PreventionI/OInput/OutputNLSNational Language SupportNOPNo Operation
Memory corruption has been a consistently prevalent attack vector against various programs throughout software history. For example, computer instructions may be injected into a computer's memory that may either execute directly as malware, or may direct the processor to malware installed elsewhere. Such mechanisms include stack overflow or buffer overflow.
In response there has been progression of the security landscape. Various mitigations and protections such as address space layout randomization (ASLR) and data execution prevention (DEP) have been incorporated into the execution environment. Exploitation of vulnerabilities via memory corruption has in turn become a more contrived process, usually requiring several stages of preparation and execution in each attack, before execution can be diverted.
The heap, a portion of memory used for dynamic allocation, is common to many computer architectures and is used widely by operation systems and application programs. Heap management routines do not operate in a predefined order in contrast to stack management. Consequently, it is very difficult to maintain awareness of the state of the heap. The lack of an enforced heap management pattern constitutes a significant security vulnerability. Indeed, when the memory is randomized as in ASLR, identification of intrusive code in the heap becomes even more difficult.
A technique known as “heap spraying” exploits the vulnerability, and may be found in one or more stages leading to execution of unauthorized computer software. Essentially the technique involves distributing multiple copies of malicious code in the heap, typically in a random fashion. Heap spraying is a multi-purpose tool—it can be used to reduce entropy within a process memory space in order to limit the effectiveness of ASLR. It can be used to assume control of freed memory blocks as part of use-after-free vulnerabilities, and it can be used to distribute a payload within the memory space to increase the likelihood that the payload will become operational.
There have been a number of attempts to deal with heap spraying: U.S. Patent Application Publication No. 2010/0205674 proposes determining a vulnerability statistic by identifying potential sleds (series of NOP instructions) within the memory, and creating a statistic that is a ratio of the amount of potential sleds per the total memory. When the vulnerability statistic rises above a certain level, the system may alert a user or administrator to a high vulnerability condition.
U.S. Patent Application Publication No. 2012/0144486 describes detection of a heap spray attack when a script is received at an electronic device from a remote device via a network and a loop operation is detected in the script that contains a write operation operable to write data to a memory of the electronic device. The amount of the data operable to be written to the memory by the write operation is determined and the data is prevented from being written to the memory if the aggregate size of multiple copies of the data is greater than or equal to a threshold.
U.S. Patent Application Publication No. 2012/0222116 proposes installing a detection module into a web browser. The detection module patches or hooks all calls to the detection module in order to identify calls indicating a heap corruption exploit. The identified calls are then analyzed to determine whether a heap corruption exploit is occurring.