Attacks that exploit a vulnerability of a client-side application are increasing. One type of attack uses a heap spray technique to facilitate arbitrary code execution by filling a location in memory used for dynamic memory allocation with a sequence of data in order to compromise an application. Typically, a heap spray attack is implemented using a scripting language such as JavaScript or VBScript. The script creates large strings with the same character(s) repeated many times such that the string may have a maximum length allowed by the scripting engine and then concatenates a shellcode at the end of the string. The shellcode typically includes malicious code such that when the shellcode is executed, the application is compromised. By filling large blocks of the memory with multiple copies of the same data, the heap spray technique increases the chance that the shellcode will be executed when a process associated with the application jumps to a location in the memory due to vulnerability in the application.
Current solutions for preventing heap spray attacks include the use of pattern based signatures and hash tables to detect possible malware. These techniques can only detect known attacks because a write detection signature for each sample based on the evasion technique must be used. Additionally, attackers can easily avoid these detection mechanisms by using a different code or programming based evasion techniques.