In this paper, we describe Nozzle, a runtime infrastructure that detects heap spraying attacks by exploiting the fact that spraying places many copies of objects with specific characteristics into the heap. Nozzle uses a combi- nation of methods including statistics, object examination, and lightweight emulation to estimate whether a given object is part of a spraying attack. Because heap spraying involves large-scale changes to the heap contents, we exploit this characteristic to reduce our false positive and false negative detection rates. We develop a general notion of global “heap health” based on the measured attack surface of the heap contents.
Because Nozzle only examines object contents and requires no changes to the object or heap structure, it can easily be integrated into both na- tive and garbage-collected heaps. In this paper, we implement Nozzle by intercepting calls to the memory manager in the Mozilla Firefox browser (version 2.0.0.16). Because browsers are the most popular target of heap spray attacks, it is crucial for a successful spray detector to both provide very high successful detection rates and very low false positive rates.
