Heap Overruns

Heap Overruns A heap overrun is much the same problem as a stack-based buffer overrun, but it’s
somewhat trickier to exploit. As in the case of a stack-based buffer overrun, your attacker can write
fairly arbitrary information into places in your application that she shouldn’t have access to. One of
the best articles I’ve found is w00w00 on Heap Overflows, written by Matt Conover of w00w00
Security Development (WSD). You can find this article at http://www.w00w00.org/files/
articles/heaptut.txt. WSD is a hacker organization that makes the problems they find public and
typically works with vendors to get the problems fixed. The article demonstrates a number of the
attacks they list, but here’s a short summary of the reasons heap overflows can be serious:
C05617228.fm Page 138 Thursday, October 24, 2002 1:26 PM Chapter 5 Public Enemy #1: The Buffer
Overrun 139 ■ Many programmers don’t think heap overruns are exploitable, leading them to
handle allocated buffers with less care than static buffers. ■ Tools exist to make stack-based buffer
overruns more difficult to exploit. StackGuard, developed by Crispin Cowan and others, uses a test
value—known as a canary after the miner’s practice of taking a canary into a coal mine—to make a
static buffer overrun much less trivial to exploit. Visual C++ .NET incorporates a similar approach.
Similar tools do not currently exist to protect against heap overruns. ■ Some operating systems and
chip architectures can be configured to have a nonexecutable stack. Once again, this won’t help you
against a heap overflow because a nonexecutable stack protects against stack-based attacks, not
heap-based attacks