Heap Protection
References:
Heap for Windows Vista/Server2008/Windows7
The following features are enabled by default:
Randomized heap base address
- The base address of a heap region is randomized as part of ASLR;
- 5 bits of entropy;
Function pointer encoding
- Function pointers in heap data structures are encoded with a random value;
- This will prevent them from being replaced with an untrusted value;
Algorithm variation
- Algorithm may shift depending on allocation patterns and policies;
Heap header cookie
- An 8-bit random value is associated with the header of each heap entry;
- For integrity checking of many fields;
- In many places:
- at the time that a heap entry is freed;
- …
Heap entry metadata randomization
- The header associated with each heap is XORd with a random value in order to protect the integrity of the metadata;
- The heap manager then unpacks and verifies the integrity of each heap entry prior to operating on it.
Removal of commonly targeted data structures
- e.g. Lookaside lists have been replaced by the Low Framentation Heap (LFH).
Additions on Windows 8⁄8.1
Reference: Software Defense: Mitigating Heap Corruption Vulnerabilities
Enhanced heap integrity checks:
- Catch-all exception handling blocks have been removed;
- HEAP handle can no longer be freed;
- HEAP
CommitRoutine encoded by a global key;
- Extended block header validation;
- Blocks cannot be allocated if they are already busy (in-use flag);
- Encoded
FirstAllocationOffset and BlockStride (defense against corruption);
- Guard pages for certain types of sub-regions within the heap:
- Large allocations: > 512KB (32-bit) or 1MB (64-bit)
- Heap segements: all heap segments.
- Maximally-sized subsegments.
- Allocation order randomization
More