Many computer systems and software suffer from bugs, i.e., errors in programming, that result in security vulnerabilities. Attackers attempt to discover and exploit these vulnerabilities in order to elevate their privileges and perform unauthorized actions in the computer system. Such exploitation may include, for example, installing and running malicious programs, copying and/or deleting files, manipulating software functions, and possibly rendering the system completely non-operational. Vulnerabilities that may be exploited for such purposes include, but are not limited to, stack and heap buffer overflows, as well as other kinds of memory corruptions.
In a buffer overflow attack, the execution of a processor may be redirected to some place within the memory. An attacker may inject malicious code into the memory and attempt to redirect the execution to the location of this malicious code. Due to advances in operating system design, such as address space randomization, however, the attacker may not know the exact location of the malicious code in the memory. To improve their chances of reaching the address of the malicious code, attackers often prepend a sequence of no-operation (NOP) commands, known as a “NOP-sled,” to the malicious code, so that processing beginning at any location within the NOP-sled will proceed to the malicious code.
Many operating systems use a memory heap for program execution, which allows processes to disperse objects at random locations within the heap. To increase the chances that a buffer overflow attack will work, attackers may inject many copies of malicious code, including NOP-sleds, at different locations in the heap. This sort of approach is known as “heap spraying.” In many heap spraying attacks, hundreds or thousands of NOP-sleds may be dispersed within the heap, increasing the chances that a random jump into memory will land on a sled and redirect execution to the malicious code.
Some methods for identifying and mitigating attacks of this sort are known in the art. For example, U.S. Patent Application Publication 2010/0205674, whose disclosure is incorporated herein by reference, describes a monitoring system for heap spraying attacks. The monitoring system analyzes system memory to determine a vulnerability statistic by identifying potential sleds within the memory, and creates a statistic that is a ratio of the amount of potential sleds per the total memory. When the vulnerability statistic rises above a certain level, the system may alert a user or administrator to a high vulnerability condition.