18 Mar, 2013, Rarva.Riendf wrote in the 21st comment:
Votes: 0
Quote
The random garbage one might find on a block from malloc() isn't really random at all. It all a creation of your own process.
Of course it is inside your own process, an attacker has a lot of information available if freed memory is not zeroed though, especially if it is always allocated in the same place (thus why they use random address to allocate it nowadays). Wonder how the hell hackers manage to find out how to exploit their security hole now. Quite a feat.
I do not even remember if it was on XP or Seven that I used Cygwin and saw the different behaviour. So sorry I cannot be more precise about how to replicate the behaviour. But it teached me to be more careful about what happens after mallocs. I just assume I will not have 0 after it ever.
Of course it is inside your own process, an attacker has a lot of information available if freed memory is not zeroed though, especially if it is always allocated in the same place (thus why they use random address to allocate it nowadays). Wonder how the hell hackers manage to find out how to exploit their security hole now. Quite a feat.
I do not even remember if it was on XP or Seven that I used Cygwin and saw the different behaviour. So sorry I cannot be more precise about how to replicate the behaviour. But it teached me to be more careful about what happens after mallocs. I just assume I will not have 0 after it ever.