Heap-Based Attacks and Defences (Lecture 6)

36 question-and-answer flashcards covering heap attacks, use-after-free, heap spraying, and the main defensive techniques discussed in Lecture 6.

What region of memory is used for dynamically allocated data in a program?

The heap.

Which C standard library functions are commonly used to allocate and de-allocate heap memory?

malloc/calloc/realloc for allocation and free for de-allocation.

Name two heap-based control-hijacking attacks introduced in this lecture.

Heap spraying and use-after-free.

How does a simple heap overflow occur in the ‘user / adminuser’ example?

strcpy copies more bytes than allocated for user, overflowing into adminuser’s buffer and altering its data.

In memory layout terms, how do the heap and stack typically grow?

The stack grows downward (toward lower addresses) and the heap grows upward (toward higher addresses).

Why is heap spraying used by attackers?

To fill large areas of the heap with NOP sleds and shellcode so that an overwritten pointer can land reliably anywhere in the spray area.

What is a virtual table (vtable) in C++ and why is it a target for heap exploits?

A compiler-generated table of function pointers; if overwritten, it lets an attacker redirect virtual method calls to malicious code.

Describe the basic sequence of a use-after-free attack.

1) A pointer references heap chunk A. 2) A is freed. 3) A is re-allocated with attacker-controlled data. 4) The stale pointer is used, executing attacker-supplied code or data.

Which IE11 CVE discussed in class demonstrates a use-after-free triggered via form element reset?

CVE-2014-0282.

What common design mistake underlies many control-hijacking vulnerabilities?

Mixing data and control information in the same memory region.

List three general strategies to prevent control hijacking mentioned in the lecture.

1) Fix bugs through safe coding and audits, 2) Platform defences to block code execution, 3) Harden executables to detect tampering (e.g., canaries, shadow stacks).

What does DEP/NX do?

Marks pages such as stack or heap as non-executable to prevent injected code from running.

Which hardware bits are used to mark pages non-executable on AMD64, Intel x86, and ARM?

NX-bit (AMD64), XD-bit (Intel), XN-bit (ARM).

Why can Return-Oriented Programming (ROP) bypass DEP?

Because ROP reuses existing executable code snippets (gadgets) instead of injecting new code into non-executable regions.

What is Address Space Layout Randomisation (ASLR)?

A defence that randomises the base addresses of code, stacks, heaps, and libraries on each run so attackers cannot predict where code resides.

How many bits of randomness does Windows 8+ provide for ASLR on 64-bit processors?

24 bits.

What is a stack canary in StackGuard?

A secret value placed before the return address; if it changes when the function returns, the program aborts, signalling a stack smash.

Name two types of stack canaries and their key difference.

Random canary (random value per run) and terminator canary ({0, newline, linefeed, EOF} to stop string copies).

Which GCC option inserts stack canaries?

-fstack-protector (or -fstack-protector-all).

Which linker flag on Windows produces a table of safe structured exception handlers?

/SAFESEH.

What is SEHOP and what problem does it address?

Structured Exception Handler Overwrite Protection; it ensures the SEH chain is intact to block attacks that overwrite exception handler pointers before canaries are checked.

Why are canaries not fool-proof? Give one reason.

Some attacks (e.g., heap overflows, integer overflows, SEH overwrites) can hijack control without altering the canary.

How can a crashing program unintentionally leak a canary value?

If the process is automatically restarted (forked) without re-randomising the canary, attackers can brute-force the canary byte-by-byte via repeated crashes.

What is a shadow stack and how does it defend against control-flow hijacking?

A protected copy of return addresses; on a function return, the CPU compares the real return address to the shadow copy and aborts on mismatch.

Which Intel technology natively supports shadow stacks?

Intel CET (Control-flow Enforcement Technology).

Explain how memory tagging can prevent both buffer overflows and use-after-free.

Each memory chunk and pointer carries a tag; on access, tags must match, so out-of-bounds or stale pointers cause a tag mismatch exception.

What is the goal of Control Flow Integrity (CFI)?

To ensure every indirect branch or call targets only legitimate locations defined by the program’s control-flow graph.

What is Control Flow Guard (CFG) in Windows and what does it check?

A coarse CFI implementation that ensures indirect calls target valid function entry points marked in a bitmap.

Give two limitations of coarse CFI mechanisms like CFG or BTI.

1) They allow jumps to any valid but possibly unintended function, 2) Static analysis may miss valid targets, causing false positives or negatives.

Name two safe C library functions recommended over their insecure counterparts.

fgets instead of gets, and strncpy instead of strcpy.

What classic attack bypasses DEP by re-using existing library code rather than injecting new code?

Return-to-libc (or more broadly, Return-Oriented Programming).

How does /NXCOMPAT relate to DEP on Windows?

It is a linker flag indicating the binary is compatible with DEP (no need for executable stack/heap).

What are GS Cookies in Windows?

Microsoft’s implementation of stack canaries inserted by the compiler to detect stack buffer overflows.

Why might some applications legitimately require an executable heap despite DEP?

Just-In-Time (JIT) compilers need to generate and execute code at runtime, which requires write-and-execute permissions.

During heap spraying, what is the purpose of the NOP sled?

To create a large landing zone so that an imprecise jump into the sprayed area will slide down the NOPs into the actual shellcode.

What Windows platform defence verifies the presence of a dummy SEH record during exception dispatch?

SEHOP (Structured Exception Handler Overwrite Protection).