I'm working on integrating Memory Protection Keys (lwn.net/Articles/64379) into my hardened allocator for protecting the metadata. Unfortunately, I can't verify it works and has low enough overhead until I get access to a Skylake-SP CPU so it will be stuck in a separate branch.
Conversation
It's very easy to integrate since there are dedicated memory regions for metadata isolated from everything else. MPK allows toggling access to memory regions per-thread via a bit in a register, so the allocator can toggle metadata access on entry/exit.
Quote Tweet
Finished up the unified metadata region for my hardened allocator:
github.com/AndroidHardeni
It avoids reusing metadata address space for other purposes and vice versa along with having high entropy random guard regions. It will use Memory Protection Keys or memory tagging too.
Show this thread
Replying to
MPK are modifiable from user space right? So an attacker that can execute code could deactivate the isolation (in theory).
1
Replying to
It wouldn't be usable for this if it wasn't a register controlled by userspace. The whole point for this is that it allows for efficient transitions. I could be doing the same thing with mprotect but it would several orders of magnitude too slow and would serialize it all too.
1
1
Show replies