What Is Heap Spraying?

Heap spraying is a hacking technique used to exploit vulnerabilities in computer software. It acts to gain control over a program by taking advantage of a portion of its memory. Once a part of the memory is controlled by the hacking code, the hacker can take control of the execution of the code by implementing a buffer overflow in the heap area of the memory. The most common application for heap spraying is hacking web browsers such as Internet Explorer®.

A "heap" is a dynamic block of memory that the computer assigns to a particular program, so named because the computer dedicates a virtual pile of memory to the program. This can be thought of like storage space in a closet or desk. This heap of memory belongs to the program until either the software or the collection code of the operating system releases it. The collection code is simply a failsafe device that reclaims memory if the program crashes or the software itself fails to release the memory after it terminates use.

In heap spraying, a hacker attempts to "spray" the memory heap with a specific portion of code. The goal is to place the code at a specific position within the program's memory heap, like wedging a crowbar into the edge of a doorframe to provide leverage to force the door open. After the information is wedged into the memory heap through heat spraying, the hacker can then overflow either the heap or the entire memory buffer, generating errors within the system. Once errors occur, the hacker can take advantage of them to execute his own code on the system.

Heap spraying works due to the dynamic allocation of memory in the system. The computer program essentially "owns" the entire chunk of memory for the time being, so the hacker already knows the relative location within the memory that the computer has assigned to the program. Therefore, the hacker needs little specificity to wedge his code into the cracks; he can spray the code blindly, knowing that the block of memory will always be there so long as the program continues to run. This could be compared to trying to pick a lock while blindfolded; the task becomes almost impossible if the lock is moving around, but as long as it remains in one fixed location — as does the heap of memory in the system — the job becomes possible.