• heap canary
  • heap chunkごとにCanaryを置いて、ある種類のシステムコールが呼ばれるたびに全体をチェックする

HeapSentry checks the health of the protected process’ heap right before the execution of system calls, thus effectively denying the final and necessary element of all related attacks, i.e., access to kernel resources The Medium Risk group, contains system calls that can be advantageous for an attacker but, unlike the High-Risk ones, not in isolation. In this case, HeapSentry checks a subset of the active canaries, expressed as a percentage of the total live canaries, before allowing the system call to proceed. The rationale behind this strategy, is that while the overflowed object may not be detected at the first Medium-Risk system call, the attacker would be detected before completing his attack.

  • Medium-Riskなシステムコールは単体で攻撃を完了できない
    1. Limitationsで、関数へのポインタとバッファが同じstruct(=heap chunk)にあればやっぱり検知できないね、というとが書かれている
  • Appendixに他の研究がいろいろ示されていて便利
    • HeapShield, DieHard, DieHarder, Archipelago, dlmalloc, etc