Detecting a heap spray attack

摘要

Various techniques for exploit detection based on heap spray detection are disclosed. In some embodiments, exploit detection based on heap spray detection includes executing a program in a virtual environment, monitoring a heap of a memory while executing the program in the virtual environment, and detecting a potential heap spray attack based on detecting a burst allocation of a first plurality of blocks in the heap of the memory, in which each of the first plurality of blocks is stored in the predefined address range of the memory.

主权项

1. A system for exploit detection by detecting heap spray in memory, comprising:
a processor configured to:
execute a program in a virtual environment;monitor a heap of the memory while executing the program in the virtual environment; anddetect a potential heap spray attack based on detecting a burst allocation of a first plurality of blocks in the heap of the memory, comprising:
determine whether 1) each of the first plurality of blocks is stored in the predefined address range of the memory and 2) the first plurality of blocks in the heap of the memo exceeds a threshold size within a predetermined period of time; andin the event that 1) each of the first plurality of blocks is stored in the predefined address range of the memory and 2) the first plurality of blocks in the heap of the memory exceeds the threshold size within the predetermined period of time:
calculate a hash of each of a second plurality of blocks allocated in the heap of the memory, wherein each of the second plurality of blocks is stored in the predefined address range of the memory; anddetect a heap spray in memory based on the calculated hashes; a computer data storage coupled to the processor and configured to provide the processor with instructions.