Low-level attacks against heap and stack memory

Low-level attacks against heap and stack memory regions are techniques used by attackers to
exploit vulnerabilities in software, often with the goal of executing arbitrary code, gaining
unauthorized access, or causing a program to crash. Here’s an overview of common heap and
stack attacks:

1. Stack-Based Attacks

The stack is a region of memory used for storing local variables, function arguments, return
addresses, and control flow information. Stack-based attacks often involve manipulating this
memory to execute malicious code.

 Buffer Overflow:
o Description: A buffer overflow occurs when more data is written to a buffer (a
fixed-size block of memory) than it can hold. This overflow can overwrite
adjacent memory, including the return address of a function, which an attacker
can then manipulate to redirect program execution.
o Example: Overwriting the return address with a pointer to malicious code in the
buffer.
 Return-Oriented Programming (ROP):
o Description: ROP is an advanced technique where an attacker uses existing code
snippets, called "gadgets," within the program's memory. By chaining these
gadgets together, the attacker can achieve arbitrary code execution without
injecting new code, evading some defenses.
o Example: An attacker redirects execution flow to a series of carefully chosen
instructions ending in a return statement.
 Stack Smashing:
o Description: This is a specific type of buffer overflow where the goal is to
overwrite the return address on the stack to redirect the program's execution.
o Example: Injecting a malicious payload that overwrites the return address,
causing the program to jump to malicious code upon function return.
 Stack Pivoting:
o Description: In a stack pivot attack, the attacker redirects the stack pointer
(ESP/RSP) to another memory region (like the heap), effectively hijacking the
control flow.
o Example: Redirecting the stack pointer to a controlled buffer on the heap and
using it to manipulate function calls and returns.

2. Heap-Based Attacks

The heap is a region of memory used for dynamic memory allocation (e.g., with malloc in C).
Heap-based attacks exploit vulnerabilities in the way heap memory is managed.

 Heap Overflow:
 o Description: Similar to a buffer overflow, a heap overflow occurs when data
exceeds the allocated buffer in the heap, overwriting adjacent memory, which can
lead to arbitrary code execution or data corruption.
o Example: Overwriting function pointers or adjacent objects in the heap, leading
to execution of arbitrary code.
 Use-After-Free:
o Description: This occurs when a program continues to use memory after it has
been freed. If an attacker can reallocate the freed memory, they can manipulate
the program's behavior.
o Example: Reallocating a freed memory block with malicious data, causing the
program to execute code or perform actions with the attacker's data.
 Double-Free:
o Description: This vulnerability occurs when a program frees the same memory
location twice, which can corrupt the heap structure and lead to arbitrary code
execution.
o Example: An attacker can trigger a double-free vulnerability to overwrite critical
heap management structures (like free lists) and gain control over program
execution.
 Heap Spraying:
o Description: Heap spraying involves filling the heap with a large amount of data,
typically NOP sleds and shellcode, to increase the chances that a vulnerable
program will jump to the attacker's code.
o Example: Injecting large blocks of shellcode into the heap so that when a pointer
is dereferenced, it lands in the attacker’s code.
 House of Cards Attacks (Heap Exploits):
o Description: A class of heap exploitation techniques that manipulate heap
metadata (e.g., in ptmalloc or dlmalloc) to achieve arbitrary memory writes.
o Example: Exploiting vulnerabilities in the heap allocator to overwrite function
pointers or return addresses.

Mitigations and Defenses

To protect against these attacks, various mitigations have been developed:

 Stack Canaries: Special values placed between buffers and control data on the stack. If
an overflow occurs, the canary is altered, and the program detects the corruption before
any malicious code can execute.
 ASLR (Address Space Layout Randomization): Randomizes the memory address of
stack, heap, and other memory regions to make it difficult for an attacker to predict where
their payload will be executed.
 DEP/NX (Data Execution Prevention/No-Execute): Prevents execution of code in
certain regions of memory, such as the stack or heap, reducing the impact of code
injection attacks.
 Safe Unlinking: Ensures that heap management structures are checked for consistency
during operations like freeing memory, reducing the risk of exploitation via heap
manipulation.
Understanding these attacks is crucial for developing secure software and implementing
appropriate defenses to mitigate the risks associated with low-level memory manipulation.