Object-oriented programming languages may support subtype polymorphism, allowing the reuse of constructs already defined in a data type within a subtype dependent on the data type. For example, a data type (e.g., a class according to which objects may be created) may define a virtual method that is inheritable by a subtype of the data type, but which may also be implemented differently by the subtype. However an object-oriented program may implement dynamic dispatch, determining which implementation of a method to invoke at runtime. Dynamic dispatching may be implemented by embedding a pointer within an object to a table of method addresses (a “virtual method table”).
Unfortunately, some malicious programmers may attempt to exploit the functionality enabled by dynamic dispatch of methods using a heap-spray attack. For example, an object may include a virtual method table that defines memory addresses of a member method. By overwriting the pointer within the object to the virtual method table with values that point to an area of the heap written to (i.e., “sprayed”) by an attacker, the attacker may hijack execution of a program to run shellcode.
In other cases, a design error of a program may lead to an object pointer being used after the object was deallocated. If the memory area previously containing the object is reallocated and sprayed by an attacker, the attacker may control the value of the pointer to the virtual method table and may point it to the malicious shellcode.
In one traditional attempt to prevent heap-spray attacks, memory within predetermined address ranges that are recognized as susceptible to heap-spray attacks may be marked as unusable. Unfortunately, this approach may be research-intensive, potentially leaving unnoticed exploitable address ranges and requiring reevaluation for different memory addressing schemes and/or instruction sets. Furthermore, memory marked as unusable may be wasted. Accordingly, the instant disclosure identifies a need for additional and improved methods for preventing heap-spray attacks.