How to Mitigate Heap Spraying Attacks?

Mar 22, 2022
4 min read


It is critical to ensure that your software is secure. Malicious actors continue to breach programs on all platforms by employing various malware and cybersecurity attacks. You must be aware of the most common attacks and devise strategies to counter them.

Virtual machines are an essential part of our current software infrastructure, including the web, and they're here to stay. Web browsers like Google Chrome and Mozilla Firefox use virtual machines to execute JavaScript code. Just-in-time compilers are used by Java Virtual Machines (JVMs) to compile Java byte code to machine code. However, as virtual computers become more popular, they are becoming more vulnerable to security threats. The heap spray attack is one example of this type of assault, in which the attacker fills the heap with malicious code and then uses a vulnerability to jump to the populated harmful code, allowing arbitrary code execution.

We will look at how we can mitigate heap spraying attacks. But before moving ahead, we must know what heap spraying techniques are.

So, let us dive in.

What are Heap Spraying Techniques?

Heap spraying is an old technique used to exploit vulnerable computer systems. It requires writing a succession of bytes at various locations in a heap, it's dubbed "spraying the heap." The heap is a big pool of memory that is set aside for applications to use. The basic concept is comparable to spray painting a room in a uniform colour. The heap is "sprayed," much like a wall, such that its "colour" (the bytes it contains) is evenly dispersed across its whole memory "surface."

A "heap" is a dynamic block of memory that a computer assigns to a specific program. The term "heap" comes from the fact that the computer dedicates a virtual pile of memory to the application. This is similar to the storage space in a closet or a desk. This heap of memory belongs to the program until it is released by the software or the operating system's collection code. The collection code is merely a failsafe mechanism for reclaiming memory if the program crashes or the software fails to release memory after it has finished using it.

Now that we know what heap spraying techniques are, Let us try to understand how they work.

How Do Heap Spraying Techniques Work?

Developers confront numerous issues when implementing dynamic memory managers, including heap fragmentation. A common technique is to allocate memory in fixed-size pieces. A heap manager usually has its own preferences for chunk size and one or more reserved pools for allocating these chunks. Heap spraying involves having a targeted process allocates memory with a needed content block by block, hoping that one of the allocations will place shellcode at the appropriate address (without checking any conditions).

A heap spray does not exploit any security flaws on its own, but it can be used to make an existing flaw easier to exploit.

Heap spraying is a technique that was first identified in the early 2000s and is commonly employed in the web browser. JavaScript, VBScript, and HTML5 are used to show heap spraying attacks.

Heap Spraying Attacks

Heap Spraying is a sort of cyberattack in which the attacker exploits the ability to write a series of bytes in memory for the running application at various locations throughout the heap. The assault's major goal is to ensure that the bytes may be accessible later as the vector for a second attack.

Procedure for Heap Spraying Attacks

  • The attacker first employs flaws in web browsers and other apps or languages such as Actionscript or Javascript in Adobe Reader to place the malicious code in the memory heap at a preset position.
  • Using the scripting support, the attacker further exploits the vulnerability. He accomplishes this by directing the Extended Instruction Pointer (EIP) to a predefined location.
  • As a result, the attacker can run the malicious code and conduct destructive conduct.

Mitigation for Heap Spray Attacks

Running web browsers with the fewest privileges makes it far more difficult for hackers to get administrative access, which helps to mitigate this attack. Also, update your web browsers on a regular basis to fix any known issues.

We must manage the process of gaining control over memory, attaching hooks, and employing other security methods to mitigate heap spraying threats successfully.

The following are the three stages to secure your application from heap spray execution:

  1. The NtAllocateVirtualMemory call is intercepted.
  2. Attempting to allocate executable memory while making it inexecutable
  3. Register a structured exception handler (SEH) to handle exceptions that occur when inexecutable memory is executed.

Prevention From Heap Spray Attacks

We'll take the following actions to counteract heap spraying attacks:

  1. Make a record of your allocations
  2. Detect the execution of shellcode
  3. Detect a spray

Make a Record of Your Allocations

We'll modify the PAGE_EXECUTE_READWRITE flag to PAGE_READWRITE to intercept the execution of dynamically allocated memory. The hook for NtAllocateVirtualMemory will be defined next. This hook will save allocations for which the PAGE_EXECUTE_READWRITE flag has been reset.

Any memory allocation that uses the PAGE_EXECUTE_READWRITE bit will be changed once the hook is set. When an attempt is made to pass control to this memory, the CPU throws an exception, which we can identify and investigate.

Detect the Execution of Shellcode

We'll now create a handler for the SEH. This is how this handler works in most cases:

  • Get the location of the instruction that threw an exception. Our activities have triggered this exception if this address belongs to one of the areas we stored. Otherwise, we can skip it and let the system find a relevant handler on its own.
  • Look for a product called heap spray. We must respond to a suspected attack if suspicious execution of dynamically allocated memory occurs. Otherwise, we'll need to restore things to their previous state so that the application can continue to function.
  • Using the NtProtect function (PAGE_EXECUTE_READWRITE), restore the region's original parameters.
  • Return command to the process flow.

Detect a Spray

We've halted an application in the middle of dynamic memory execution and acquired a history of the most recent allocations using the code above. We'll use this information to determine if our app has been hacked.

In this way, we prevent a heap spray attack from damaging our app.


Heap spray is a big problem when it comes to app security. There are a lot of things to look after, even when there are the slightest chances of a heap spray attack.

Hope you protect your app against these heap spray attacks utilizing the prevention methods we discussed.