About Hack the Heap!

Hack the Heap is a puzzle game created for multiple purposes. First and foremost, solving these puzzles provides us with valuable solutions in a problem called heap layout manipulation, also known as heap feng shui or heap massaging. Furthermore, this game can be used for educational purposes, as it simulates the inner workings of heap allocators and heap memory vulnerabilities. Although the puzzle itself is a simplified representation of reality, we aim to keep the puzzles both reasonably realistic and challenging to play.

Playing a custom game

Custom games can be played (and even created from real-world applications, although this is not available yet). In order to do so, you can go to the cookie-free game here and press the "show editor" button on the left. A new box will appear where a custom game code can be inserted.

What the game represents

Heap Memory in a nutshell1

A computer application requires memory to store data. One common place to store data2 is the heap. The heap is dynamic, meaning that a size of memory can be requested or given back at any time. This process of requesting and getting a given amount of bytes is called memory allocation

Behind the scenes, a memory allocator handles these requests. Generally, memory allocators have one large chunk of memory and chip away from this chunk whenever an allocation is done. If not enough memory is available, the allocator tries to make its own memory chunk bigger or alternatively, fails to allocate.

This game represents a variety of situations that could occur with a multitude of allocators. For example, the 'allocation method' represents a technique for deciding what area to pick from in our large chunk. At the same time, performing a single operation on an application (e.g. saving a file by clicking ctrl+s), more than one allocation might be required. As such, buttons in the game can place more than one puzzle pieces (representing multiple allocations).

Heap Layout Manipulation1

As the game shows, the heap can be manipulated in a series of operations. In particular, these series of operations can end up making one piece of allocated memory directly adjacent to another chosen piece. After all, the puzzle is solved generally when this happens depending on the type of puzzle.

Occasionally it happens that a developer makes a mistake, and the application ends up not only writing into the newly allocated piece, but writing beyond this piece into the next piece of memory. This is what we refer to as a Heap Overflow. Hackers can try to abuse this, but this is often a very precise and complex matter.

One of the techniques to aid this is heap layout manipulation: making sure that the hacker writes in the exact spot where they wants. By solving the puzzles here, you solve the same problem as real exploit writers / hackers: just in a visual way. As mentioned before, some puzzles are simplified representations that do not occur in a real world scenario. Others on the other hand, can be used directly in a real-world scenario to solve the problem of heap layout manipulation.

The main importance of this project is not mainly to help hackers though. Instead, being able to solve the heap layout manipulation provides a valid metric to understand the severity of a vulnerability. Being able to solve the HLM problem tells us that a vulnerability is very likely to be abusable by hackers and thus that the problem needs to be fixed. By people like you playing the game, we can make the world a little safer!

Research

This work has been published and presented at the Workshop On Offensive Technologies (WOOT) '22, co-located with IEEE Security & Privacy. The paper can be found here.

This game was created as a research project with two main goals. First, the puzzle results provide results that can be utilised in a real-world scenario of solving the heap layout manipulation problem. This aids cyber security experts to assess the severity of a vulnerability; aids exploit writers to solve the problem or merely find out whether a solution to the problem exists at all.

Secondly, the game can be used in an educational setting. Mind that the game simulates the inner workings of heap allocators. Computer science students and enthousiasts can play the game, getting an intuitive understanding of the heap, heap allocators and the pros and cons of various allocation techniques. Furthermore, the game shows the importance of memory safety issues, how to abuse them and why we should care about them.

Authors

This game is developed by Jordy Gennissen, being supervised by Dan O'Keeffe on this project. A number of other people were involved in this projects, including (but not limited to) Manouk Locher in design, Jorge Blasco and a number of testers playing the game and providing useful feedback that greatly improved the quality of the puzzle game.

Source Code

Find the source code on Github. To generate your own puzzle, A separate toolchain is required.


1Simplified.
2Apart from the stack and the globals section.