Exploiting Heap Overflows
Heap buffer overflow vulnerabilities are typically no more difficult to identify in source code than are stack buffer overflows, and their exploitation is proving to be as well understood as the exploitation of stack buffer overflow vulnerabilities. In rich applications, such as network servers and web browsers, where the remote attacker can influence heap allocation, skillful heap manipulation is extremely important for crafting reliable exploits, and a good understanding of how the heap works is crucial to being able to perform useful heap manipulations. In this chapter we will dissect the default Mac OS X heap implementation and describe how an attacker may manipulate it to exploit heap buffer overflows reliably.
The heap is a memory management facility used to support dynamically allocated memory. Chapter 7, “Exploiting Stack Overflows,” described the stack, which is used for automatically allocated memory, typically for local function variables. Memory for the function’s local variables stored in stack memory is automatically allocated when the function is called and automatically freed when the function returns. Memory allocated from the heap, by contrast, is freed only when the program explicitly requests it. The heap is used to implement dynamic memory management in C, C++, and Objective-C using malloc()/free(), new/delete, and alloc/release, respectively.
Mac OS X allows the heap allocator implementation to be chosen dynamically. ...