(12) Patent Application Publication (10) Pub. No.: US 2009/0300764 A1 FREEMAN (43) Pub

US 2009030.0764A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2009/0300764 A1 FREEMAN (43) Pub. Date: Dec. 3, 2009

(54) SYSTEMAND METHOD FOR (22) Filed: May 28, 2008 IDENTIFICATION AND BLOCKING OF MALICOUS CODE FOR WEB BROWSER Publication Classification SCRIPT ENGINES (51) Int. Cl. (75) Inventor: Robert G. FREEMAN, Chamblee, G06F 2/14 (2006.01) GA (US) (52) U.S. Cl...... 726/24 Correspondence Address: GREENBLUM & BERNSTEIN, P.L.C. (57) ABSTRACT 1950 ROLAND CLARKE PLACE RESTON, VA 20191 (US) A system and method to protect web applications from mali cious attacks and, in particular, a system and method for (73) Assignee: INTERNATIONAL BUSINESS identification and blocking of malicious code for web MACHINES CORPORATION, browser Script engines. The system includes at least one mod Armonk, NY (US) ule configured to protect web applications from malicious attacks by detecting an occurrence of heap spraying and (21) Appl. No.: 12/127,995 blocking the occurrence of heap spraying.

Patch script 300 libraries (hooking)

Wait on Hooks

315 Web 2.0 Heuristics? Increase heap spray NS threshold values

Threshold adjustment Excessive string concatenation?

Detection Is total memory footprint of a Notify a callback Script thread excessive2

Patent Application Publication Dec. 3, 2009 Sheet 1 of 3 US 2009/0300764 A1

an 14a

Filter 14b.

I/O device 28 Storage System 22B

FIG. 1 Patent Application Publication Dec. 3, 2009 Sheet 2 of 3 US 2009/030.0764 A1

Web Browser 200 Starts

205 Patch Script Libraries

210

User Ready to Browse

Content is Done Requested

Render HTML

FIG. 2 Is Script Present? Execute Script Patent Application Publication Dec. 3, 2009 Sheet 3 of 3 US 2009/030.0764 A1

Patch script 300 libraries (hooking)

it is

Web 2.0 Heuristics?s Increase heap spray NS 315 threshold values

Threshold adjustment Excessive string concatenation?

Detection

Is total

memory footprint of a Notify a callback script thread excessive2

FIG. 3 US 2009/0300764 A1 Dec. 3, 2009

SYSTEMAND METHOD FOR corruption) or operating restrictions (in the case of buffer IDENTIFICATION AND BLOCKING OF overflows) it is necessary for the shellcode to exist in the MALICIOUS CODE FOR WEB BROWSER browser's heap memory. SCRIPT ENGINES 0008. In order for the malicious attacker to get their shellcode to heap addresses, it is necessary to "spray the FIELD OF THE INVENTION heap with redundant blocks of memory combining no-opera tion 'sleds' and actual shellcode. As is commonly known, a 0001. The invention generally relates to a system and heap spray is a technique used in exploits to facilitate arbi method to protect web applications from malicious attacks trary code execution. The term is also used to describe the part and, in particular, a system and method for identification and of the Source code of an exploit that implements such tech blocking of malicious code for web browser Script engines. nique. In general, the spraying code puts a certain sequence of bytes at a predetermined location in the memory through an indirect process by allocating many blocks (potentially of a BACKGROUND large size individually) on the heap and filling the bytes in these blocks. This technique sees widespread use in exploits 0002 Malware or malicious attacks on computing sys for web browsers. tems is becoming an ever-increasing security concern to com 0009. The use of heap spraying has proved simple enough panies and individuals. The most common pathway for Mal that even novice “hackers' can quickly write reliable exploits ware to infect computing systems is through the Internet, by for many vulnerabilities in web browsers and web browser email and the World WideWeb. plug-ins. Heap sprays for web browsers are commonly imple 0003. Malware comes in many different forms designed to mented in JavaScript. The heap spraying creates large Uni infiltrate or damage a computer system without the owner's codestrings with the same character or combinations of char informed consent. For example, Malware can include com acters (representing a no-operation "sled' and or computer puter viruses, worms, and trojan horses, as well as other code) repeated many times by concatenating starting with a malicious and unwanted Software. However, for a malicious string of one character and concatenating it with itself over program to accomplish its goals, it must be able to perform its and over. This causes the length of the string to grow expo malicious objectives without being deleted, shutdown or nentially up to the maximum length allowed by the scripting blocked. For this reason, concealment methods assist in the engine. When the maximum length (or an arbitrary lower installation and running of the malware. length) is reached, the heap spraying code starts to make 0004 Intrusion detection systems (IDS) are designed to copies of the long string and stores these in an array, up to the detect malware or other unwanted manipulations of computer point where enough memory has been sprayed. However, systems, mainly through the Internet. For example, IDS are when obfuscated, IDS cannot detect northwart (stop) the used to detect several types of malicious behaviors that can heap spray in order to the defeat the malicious attack. Fur compromise the security and trust of a computer system. This thermore, non-obfuscated heap sprays are both rarely includes network attacks against Vulnerable services, data observed and still present many challenges for IDS detection. driven attacks on applications, host based attacks such as 0010. Accordingly, there exists a need in the art to over privilege escalation, unauthorized logins and access to sensi come the deficiencies and limitations described hereinabove. tive files, and malware, itself. 0005 Typically, IDS are composed of several components SUMMARY including sensors, consoles and a central engine. Illustra tively, a sensor generates security events, and a console is 0011. In a first aspect of the invention a system comprises designed to monitor events and alerts and control the sensors. at least one module configured to protect web applications The central engine records events logged by the sensors and from malicious attacks by detecting an occurrence of heap uses rules to generate alerts from received security events. spraying and blocking the occurrence of heap spraying. There are several ways to categorize IDS depending on the 0012. In another aspect of the invention, a method for type and location of the sensors and the methodology used by preventing corruption of a web browser. The method com the engine to generate alerts. Types of IDS include network prises providing a computer infrastructure operable to deter based intrusion-detection systems (NIDS), passive systems mine when a string concatenation or total memory footprint and reactive/blocking systems such as intrusion prevention ofascript thread exceeds a threshold value which is indicative systems (IPS). of a heap spraying event, and block the heap spray event. 0013. In another aspect of the invention, a computer pro 0006 Typically IDS directly identify the malware or other gram product for protecting web applications from malicious malicious attacks in transit. However, malicious attacks are attacks. The computer program product comprises: a com becoming ever increasingly sophisticated in their obfuscation puter readable medium; first program instructions to detect an that it is sometimes difficult or impossible to detect malware occurrence of heap spray; and a second program instructions attacks by use of IDS as it is happening. Thus, only special to block the occurrence of the heap spraying upon the first ized anti-malware IDS systems may detect the Malware only program instructions detecting the heap spray thereby pre after it is already completely uploaded and active on the venting execution of a shellcode. The first and second pro computing System. gram instructions are stored on the computer readable media. 0007 Typically web browser exploits require shellcode to execute malicious code on a remote computing system. A BRIEF DESCRIPTION OF SEVERAL VIEWS OF shellcode is a small piece of code used as the payload in the THE DRAWINGS exploitation of software vulnerability. Such exploits are either due to a buffer overflow or a memory corruption con 0014. The present invention is described in the detailed dition. Either due to the bug design (in the case of memory description which follows, in reference to the noted plurality US 2009/0300764 A1 Dec. 3, 2009 of drawings by way of non-limiting examples of exemplary program is printed, as the program can be electronically cap embodiments of the present invention. tured, via, for instance, optical scanning of the paper or other 0015 FIG. 1 shows an illustrative environment for imple medium, then compiled, interpreted, or otherwise processed menting the steps in accordance with the invention; and in a suitable manner, if necessary, and then stored in a com 0016 FIGS. 2-3 show flow charts of exemplary processes puter memory. in accordance with aspects of the invention. 0028. In the context of this document, a computer-usable or computer-readable medium may be any medium that can DETAILED DESCRIPTION contain, store, communicate, propagate, or transport the pro 0017. The invention generally relates to a system and gram for use by or in connection with the instruction execu method to protect web applications from malicious attacks tion system, apparatus, or device. The computer usable pro and, in particular, a system and method for identification and gram code may be transmitted using any appropriate blocking of malicious code for web browser Script engines. In transmission media via a network. implementation, the invention provides the ability to identify 0029 Computer program code for carrying out operations and block a heap spray. Advantageously, by detecting the of the present invention may be written in any combination of heap spray, it is possible to block the malicious attack from one or more programming languages, including an object spraying (compared to merely identifying a problem) thereby oriented programming language such as Java, Smalltalk, C++ preventing shellcode execution. For example, if the heap or the like and conventional procedural programming lan spray is stopped early, so too is the remote code execution. guages, such as the “C” programming language or similar This is due to the fact that the present invention can detect the programming languages. The program code may execute occurrence of spraying prior to enough memory being allo entirely on the user's computer, partly on the user's computer, cated to execute the attack. as a stand-alone software package, partly on the user's com 0018. Also, having the ability to identify and block heap puter and partly on a remote computer or entirely on the sprays dramatically reduces the risk of web browser exploi remote computer or server. In the latter scenario, the remote tation since they are ubiquitous with Such exploitation. Simi computer may be connected to the user's computer through larly, reducing the amount of web browser exploitation any type of network. This may include, for example, a local reduces the amount of malware installations, as this is a area network (LAN) or a wide area network (WAN), or the common theme for remote shellcode execution. The prin connection may be made to an external computer (for ciples to remediation as applied by the present invention can example, through the Internet using an Internet Service Pro be applied to any closed-source (e.g., JS and Visual Basic vider). Script) as well as open-source libraries. 0030 FIG. 1 shows an illustrative environment 10 for managing the processes in accordance with the invention. To Exemplary System Environment and Infrastructure this extent, the environment 10 includes a server or other computing system 12 that can perform the processes 0019. As will be appreciated by one skilled in the art, the described herein. In particular, the server 12 includes a com present invention may be embodied as a system, method or puting device 14. The computing device 14 can be resident on computer program product. Accordingly, the present inven a network infrastructure or computing device of a third party tion may take the form of an entirely hardware embodiment, service provider (any of which is generally represented in an entirely software embodiment (including firmware, resi FIG. 1). dent Software, micro-code, etc.) or an embodiment combin 0031. The computing device 14 includes a Detection Tool ing Software and hardware aspects that may all generally be (module or program code) 14a configured to make computing referred to herein as a “circuit,” “module’ or “system.” Fur device 14 operable to perform the services described herein. thermore, the present invention may take the form of a com The Detection Tool 14a can be implemented as one or more puter program product embodied in any tangible medium of program code stored in memory 22A as separate or combined expression having computer-usable program code embodied modules. In an illustrative example, the Detection Tool 14a is in the medium. configured to identify and block a heap spray that is used to 0020. Any combination of one or more computerusable or prevent shellcode execution. In this way, the Detection Tool computer readable medium(s) may be utilized. The com 14a can prevent memory corruption and buffer overload Vul puter-usable or computer-readable medium may be, for nerabilities. More specifically, the Detection Tool 14a is con example but not limited to, an electronic, magnetic, optical, figured to detect the occurrence of heap spraying prior to electromagnetic, infrared, or semiconductor system, appara enough memory being allocated to execute the shellcode. In tus, device, or propagation medium. More specific examples this way, advantageously, the Detection Tool 14a dramati (a non-exhaustive list) of the computer-readable medium cally reduces the risk of web browser exploitation by reduc would include the following: ing malware installations from shellcode execution. 0021 a portable computer diskette, 0032. In embodiments, the solution presented by the 0022 a hard disk, present invention is to hook, either in source code or binary 0023 a random access memory (RAM), form, a string buffer allocation routine and/or string buffer 0024 a read-only memory (ROM), concatenation routine in each script library Supported by a 0025 an erasable programmable read-only memory given browser. The present invention can Support JavaScript (EPROM or Flash memory), and Visual Basic Script libraries, as well as other closed or 0026 a portable compact disc read-only memory open source libraries. (CDROM), 0033. The present invention contemplates two techniques 0027 an optical storage device, and/or implemented by the Management Tool 14a to prevent mali The computer-usable or computer-readable medium could cious attacks. These techniques include string allocation even be paper or another suitable medium upon which the requests and tracking memory utilization per thread. US 2009/0300764 A1 Dec. 3, 2009

0034. In string allocation requests, the Detection Tool 14a processes of the invention. The bus 26 provides a communi knows the total allocation size for the string buffer allocation cations link between each of the components in the comput stage and/or string buffer concatenation routine. This known ing device 14. value is compared against a maximum value known to be 0040. The computing device 14 can comprise any general indicative of a malicious event, e.g., an amount of memory purpose computing article of manufacture capable of execut that is indicative of a heap spray event. The maximum value ing computer program code installed thereon (e.g., a personal may range from 10 or more kilobytes to 100 or more mega computer, server, handheld device, etc.). However, it is under bytes depending on a specific application. For example, a stood that the computing device 14 is only representative of string may range from a sentence or two of information to various possible equivalent-computing devices that may per hundreds of megabytes for Web 2.0 applications, which may form the processes described herein. To this extent, in require all script code. The maximum value may be made embodiments, the functionality provided by the computing tunable via a filter 14b. device 14 can be implemented by a computing article of 0035. Once the maximum value is reached, the Detection manufacture that includes any combination of general and/or Tool 14a will flag the event as a heap spray and opt to block specific purpose hardware and/or computer program code. In the allocation. Once the allocation is block, an error message each embodiment, the program code and hardware can be can be returned, but the underlying web browser application created using standard programming and engineering tech would not break in any way, e.g., the web browser application niques, respectively. will continue to run. In embodiments, although the web 0041. Similarly, the server 12 is only illustrative of various browser application will continue to operate, certain func types of computer infrastructures for implementing the inven tions of the web browser applications may cease to operate as tion. For example, in embodiments, the server 12 comprises the web browser application runs on a tokenization of com two or more computing devices (e.g., a server cluster) that mands. In any event, the Detection Tool 14a will stop the communicate over any type of communications link. Such as malicious attack prior to enough memory blocks being a network, a shared memory, or the like, to perform the infected to execute the malware. Thus, in embodiments, the process described herein. Further, while performing the pro Script that is running will cease to operate properly. Although cesses described herein, one or more computing devices on there may be some false positives, depending on the maxi the server 12 can communicate with one or more other com mum value, this should be an acceptable risk. puting devices external to the server 12 using any type of 0036. In the tracking memory utilization per thread communications link. The communications link can com embodiment, the Detection Tool 14a could identify risky prise any combination of wired and/or wireless links; any script behavior during the lowest-level memory allocation combination of one or more types of networks (e.g., the routine (if hooked). For example, if total allocations on a Internet, a wide area network, a local area network, a virtual particular thread exceed a maximum value, the Detection private network, etc.); and/or utilize any combination of Tool 14a will flag this as a heap spray condition and Subse transmission techniques and protocols. quently block the action. Although, the Detection Tool 14a 0042. In embodiments, the invention provides a business will know with less certainty that an actual heap spray has method that performs the steps of the invention on a subscrip occurred versus inefficient or otherwise disastrous code, the tion, advertising, and/or fee basis. In this case, the service Detection Tool 14a can still deny an allocation on a particular provider can create, maintain, deploy, Support, etc., the com script thread. The outcome would be identical to that in the puter infrastructure that performs the process steps of the string allocation requests technique, i.e., returning of an error invention for one or more customers. These customers may message but not breaking of the web browser application in be, for example, any third party computing system. In return, any way. the service provider can receive payment from the customer 0037. The computing device 14 also includes a processor (s) under a Subscription and/or fee agreement and/or the Ser 20, memory 22A, an I/O interface 24, and a bus 26. The vice provider can receive payment from the sale of advertis memory 22A can include local memory employed during ing content to one or more third parties. actual execution of program code, bulk storage, and cache memories which provide temporary storage of at least some Exemplary Processes program code in order to reduce the number of times code 0043 FIGS. 2 and 3 illustrate exemplary processes in must be retrieved from bulk storage during execution. In accordance with the present invention. The steps of FIGS. 2 addition, the computing device includes random access and 3 may be implemented on the computer infrastructure of memory (RAM), a read-only memory (ROM), and a CPU. FIG. 1, for example. The flowchart and block diagrams in the 0038. The computing device 14 is in communication with Figures illustrate the architecture, functionality, and opera the external I/O device/resource 28 and the storage system tion of possible implementations of systems, methods and 22B. For example, the I/O device 28 can comprise any device computer program products according to various embodi that enables an individual to interact with the computing ments of the present invention. In this regard, each block in device 14 or any device that enables the computing device 14 the flowchart or block diagrams may represent a module, to communicate with one or more other computing devices segment, or portion of code, which comprises one or more using any type of communications link. The external I/O executable instructions for implementing the specified logi device/resource 28 may be for example, the handheld device. cal function(s). It should also be noted that, in Some alterna 0039. In general, the processor 20 executes computer pro tive implementations, the functions noted in the block may gram code such as the Management Tool 14a, which can be occur out of the order noted in the figures. For example, two stored in the memory 22A and/or storage system 22B. While blocks shown in Succession may, in fact, be executed Substan executing the computer program code, the processor 20 can tially concurrently, or the blocks may sometimes be executed read and/or write data to/from memory 22A, storage system in the reverse order, depending upon the functionality 22B, and/or I/O interface 24. The program code executes the involved. Each block of the flowchart, and combinations of US 2009/0300764 A1 Dec. 3, 2009 the flowchart illustrations can be implemented by special triggered by all Scripts, depending on the threshold (maxi purpose hardware-based systems that perform the specified mum) values set by the user or service provider. functions or acts, or combinations of special purpose hard 0051. At step 310, the program control makes a determi ware and computer instructions and/or software, as described nation as to whether there is a Web 2.0 heuristic. The Web 2.0 above. heuristics may be heuristics which interpret heavy interaction 0044 FIG. 2 shows a system overview with anti-heap with multiple Document Object Model (DOM) methods and spray in accordance with aspects of the invention. At step 200, properties as relating to Dynamic HTML (DHTML) due to the web browser is started. In embodiments, the control pro gram (e.g., detection logic) of the present invention can be Web 2.0 applications. This determination, although, optional, implemented as a browser plug-in which would configure is used to set the maximum threshold values for a Web 2.0 when the user starts the web browser. At step 205, a patch to application. For example, if a Web 2.0 heuristic is found, at the script libraries is initiated. In this processing, patches will step 315 the maximum heap spray value is increased to meet be provided to entry points of the relevant functions in order the requirements of the Web 2.0 heuristics. In embodiments, to jump' to the detection logic implementing the present the value for the total memory usage per Script thread is not invention. This may be achieved by, for example, in the con lower than the value for string allocation/concatenation. The tent of a web browser plug-in or in a secondary process with processes of steps 210 and 215 may be self-adjusting thresh debug privileges. old logic. 0045. At step 210, the user is ready to browse. At this 0.052 At step 320, the program control makes a determi processing stage, once everything is loaded/patched, the pro nation as to whether there is an excessive string concatena gram control will be in a default state. At step 215, the user tion. If so, at step 325, a callback is notified. That is, in begins to browse the World WideWeb. At step 220, HTML is embodiments, the callback decides what steps to take to rendered. eliminate or notify a user of the threat. This may include, for 0046. At step 225, a determination is made as to whether a example, denying the memory Script in progress, terminating Script is present. If a script is not present, the control logic will the Script in progress, notifying the logging mechanism and/ return to step 210. If the script is present, at step 230, the script is executed and the process returns to step 210. In embodi or user, etc. ments, at Step 230, the script being executed may be dynamic 0053. If an excessive string is not found at step 325, the HTML (DHTML). Those of skill in the art should understand process continues to step 330. At step 330, the program con that DHTML is frequently used by Web 2.0 applications. trol makes a determination as to whether the total memory When DHTML is added or modified, by a script engine, the footprint of a script thread exceeds a threshold value, e.g., web browser will be informed of the new content that needs exceeds a maximum user set value (or, in embodiments, the rendering. Web 2.0 heuristics adjusted value (versus string allocation/ 0047. During script execution, the patches will cause the concatenation size evaluation). If so, the process continues to code execution path to travel through the detection logic of step 325, as discussed above. If not, the process returns to step the present invention at which time a determination may be 305. made as to whether there is a heap spray event facilitating 0054 The terminology used herein is for the purpose of malware loading onto the computing system. This is dis describing particular embodiments only and is not intended to cussed in more detail in FIG. 3, below. It is noted that the be limiting of the invention. As used herein, the singular remediation methods of the present invention will not crash forms “a”, “an and “the are intended to include the plural the browser. forms as well, unless the context clearly indicates otherwise. 0048 FIG.3 shows a processing flow executing the detec It will be further understood that the terms “comprises' and/ tion logic of the present invention. At step 300, a patch is or “comprising, when used in this specification, specify the provided to script libraries of the web browser. In embodi presence of stated features, integers, steps, operations, ele ments, the script libraries may include open Source or closed ments, and/or components, but do not preclude the presence source libraries. The processes of step 300 are provided prior or addition of one or more other features, integers, steps, to web content requests, either by default or by the end user or operations, elements, components, and/or groups thereof. service provider. In further embodiments the hooks are pas sive and are encountered while the script processing is active 0055. The corresponding structures, materials, acts, and by the web browser or system, for example. equivalents of all means or step plus function elements, if any, 0049. The patch, in embodiments, permits the program in the claims below are intended to include any structure, control to temporarily take control to determine whether there material, or act for performing the function in combination is a malicious attack occurring on a computing system and with other claimed elements as specifically claimed. The more specifically on a web browser, as described herein. For description of the present invention has been presented for example, the patch allows the program control to peek into purposes of illustration and description, but is not intended to what values are being passed internally in the script engine be exhaustive or limited to the invention in the form disclosed. and stake steps to eliminate the threat with little or no impact Many modifications and variations will be apparent to those to the end user experience. In the event that the String concat of ordinary skill in the art without departing from the scope enation patch does not observe the heap spray mechanism, a and spirit of the invention. The embodiments were chosen and second set of patches that exist at a lower level will keep track described in order to best explain the principles of the inven of the total memory utilization by the script thread. This may tion and the practical application, and to enable others of work with a different threshold value. ordinary skill in the art to understand the invention for various 0050. At step 305, the process waits on the hooks. In embodiments with various modifications as are suited to the embodiments, the present invention is reactive and may not be particular use contemplated. US 2009/0300764 A1 Dec. 3, 2009

What is claimed is: 12. The method of claim 9, wherein the computer infra 1. A computer system, the computer system comprising: structure is operable to block execution of a shellcode by at a central processing unit; least one of denying a memory Script in progress, terminating first program instructions to protect web applications from a script in progress, and notifying a logging mechanism and/ malicious attacks by detecting an occurrence of heap OUS. spraying and blocking the occurrence of heap spraying: 13. The method of claim 9, wherein the computer infra wherein said first program instructions are stored on said structure is at least one maintained, deployed, created and computer system for execution by said central process Supported by a service provider. ing unit. 14. The method of claim 9, further comprising hooking, 2. The system of claim 1, wherein the first program instruc either in source code orbinary form, a string buffer allocation tions blocks execution of a shellcode by one of denying a routine and/or string buffer concatenation routine in each memory Script in progress, terminating a script in progress, Script library Supported by a given browser. and notifying a logging mechanism. 15. A computer program product for protecting web appli 3. The system of claim 1, wherein the first program instruc cations from malicious attacks, the computer program prod tions is tunable to flag an event when a certain memory uct comprising: allocation has been reached to prevent memory corruption a computer readable medium; and buffer overload Vulnerabilities. first program instructions to detect an occurrence of heap 4. The system of claim 1, wherein the first program instruc spray; and tions provides patches from closed-source and as open a second program instructions to block the occurrence of Source libraries to prevent the occurrence of the heap spray the heap spraying upon the first program instructions ing. detecting the heap spray thereby preventing execution of 5. The system of claim 1, wherein the first program instruc a shellcode, tions is at least one of maintained, deployed, created and wherein said first and second program instructions are Supported on a computing infrastructure by a service pro stored on said computer readable media. vider. 16. The computer program product of claim 15, wherein 6. The system of claim 1, wherein the first program instruc the second program instructions is configured to hook, either tions hooks, either in source code or binary form, a string in source code or binary form, a string buffer allocation rou buffer allocation routine and/or string buffer concatenation tine and/or string buffer concatenation routine in each script routine in each script library Supported by a given browser. library supported by a given browser: 7. The system of claim 6, wherein the first program instruc 17. The computer program product of claim 16, wherein tions knows a total allocation size for the string buffer allo the second program instructions is configured to at least one cation routine and/or string buffer concatenation routine and of: compare to a predetermined maximum value indicative of the compare a known total allocation size for a string buffer heap spraying and opt to block the allocation once the prede allocation routine and/or string buffer concatenation termined maximum value is reached routine and compare it to a predetermined maximum 8. The system of claim 1, wherein the first program instruc value indicative of the heap spraying; and tions to identifies when a thread exceeds a maximum value in identify when a thread exceeds a maximum value in order order to flag an event as the heap spraying. to flag an event as the heap spraying. 9. A method for preventing corruption of a web browser, 18. The computer program product of claim 15, wherein comprising providing a computer infrastructure being oper the second program instructions is tunable to detect a prede able to determine when a string concatenation or total termined memory allocation. memory footprint of a script thread exceeds a threshold value 19. The computer program product of claim 15, configured which is indicative of a heap spraying event, and block the to prevent exploitation of memory corruption and buffer over heap spray event. flow vulnerabilities. 10. The method of claim 9, wherein the computer infra 20. The computer program product of claim 15 is at least structure includes software, hardware or a combination of one of maintained, deployed, created and Supported by a software and hardware: service provider. 11. The method of claim 9, wherein the threshold value is tunable.