Heap Feng Shui
What is Heap Feng Shui?
Heap Feng ShuiDeterministic heap-grooming technique introduced by Alexander Sotirov in 2007 that arranges allocations to land vulnerable objects next to attacker-controlled ones.
Alexander Sotirov coined Heap Feng Shui at Black Hat Europe 2007. Whereas heap spraying is statistical, feng shui carefully allocates, frees and re-allocates objects in JavaScript to shape the browser heap so that, after triggering a memory corruption, the vulnerable object reliably overlaps with attacker-controlled bytes. By exhausting freelists, exploiting size-class bins, and using long-lived allocations as anchors, exploits achieve deterministic layouts even under ASLR and randomized allocators. The idea generalised to kernel heap grooming (Linux SLUB, Windows pool feng shui) and to JavaScript engine exploitation (V8, SpiderMonkey). Modern mitigations include hardened allocators (PartitionAlloc, scudo), MTE on ARM, GWP-ASan, and isolated heaps for sensitive metadata.
● Examples
- 01
Triggering precise allocations in JavaScript to position a vulnerable JIT object next to an attacker-controlled ArrayBuffer.
- 02
Linux kernel SLUB feng shui to align a UAF object with cred structures and gain root.
● Frequently asked questions
What is Heap Feng Shui?
Deterministic heap-grooming technique introduced by Alexander Sotirov in 2007 that arranges allocations to land vulnerable objects next to attacker-controlled ones. It belongs to the Attacks & Threats category of cybersecurity.
What does Heap Feng Shui mean?
Deterministic heap-grooming technique introduced by Alexander Sotirov in 2007 that arranges allocations to land vulnerable objects next to attacker-controlled ones.
How does Heap Feng Shui work?
Alexander Sotirov coined Heap Feng Shui at Black Hat Europe 2007. Whereas heap spraying is statistical, feng shui carefully allocates, frees and re-allocates objects in JavaScript to shape the browser heap so that, after triggering a memory corruption, the vulnerable object reliably overlaps with attacker-controlled bytes. By exhausting freelists, exploiting size-class bins, and using long-lived allocations as anchors, exploits achieve deterministic layouts even under ASLR and randomized allocators. The idea generalised to kernel heap grooming (Linux SLUB, Windows pool feng shui) and to JavaScript engine exploitation (V8, SpiderMonkey). Modern mitigations include hardened allocators (PartitionAlloc, scudo), MTE on ARM, GWP-ASan, and isolated heaps for sensitive metadata.
How do you defend against Heap Feng Shui?
Defences for Heap Feng Shui typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Heap Feng Shui?
Common alternative names include: Heap grooming.
● Related terms
- attacks№ 471
Heap Spraying
An exploitation primitive that fills the heap with many copies of a payload so that a corrupted pointer is highly likely to land on attacker-controlled data.
- vulnerabilities№ 1193
Use-After-Free
A memory-safety bug where a program continues to use memory after it has been freed, often allowing attackers to control object state and hijack execution.
- appsec№ 064
ASLR
Address Space Layout Randomization randomizes the memory locations of code, stacks, heaps, and libraries so attackers cannot reliably predict target addresses for exploits.
- vulnerabilities№ 667
Memory Corruption
An umbrella term for vulnerabilities where a program writes outside the bounds of intended memory, undermining type-safety, control flow, or data integrity.