Conversation

Question: what scenarios does zero-memory-on-free mitigate that zero-mem-on-malloc doesn't? I have hard time imagining any... For accesses via new ptr it doesn't matter. Via old ptr - most likely doesn't matter too (could have been accesses while the object is alive).

Quote Tweet

grsecurity

@grsecurity

Apr 26, 2019

I love that there have probably been about 1000 emails on this topic on the KSPP list about how they're going to build a better PAX_MEMORY_SANITIZE, and finally after 3 years they've come full circle to how PAX_MEMORY_SANITIZE has always worked: openwall.com/lists/kernel-h

Show this thread

Replying to

I haven't looked at the threads, so I don't know the specific context. One of the main benefits of zero-on-free is purging potentially sensitive data quickly. It's also often safer to read zeroed data like NULL pointers leading to reliable faults instead of stale/dangling ones.

Replying to

Well, yes. But is it pure hypothetical? Is it just all else being equal zeroing early is probably better? Zero-on-malloc prevents very clear class of vulns/bugs -- using/leaking uninit data. Zero-on-free does not seem to prevent _anything_ on top of this. Or not?

Replying to

It's not hypothetical that eliminating sensitive data from memory earlier is helpful. That's not about preventing a class of vulnerabilities but rather reducing the impact of a compromise at a later point. It minimizes the lifetime of sensitive data. It's often done case-by-case.

Replying to

and

It's also not theoretical that some use-after-free bugs are mitigated by making the pointers that are read from the freed allocation NULL. If it's combined with checking for non-zero data on allocation, it can detect an ongoing use-after-free based on non-zero data being written.

Replying to

and

Having a quarantine to delay memory reuse is also related. That's part of how ASan is able to detect lots of use-after-free and double-free, but it also has an application in allocator hardening. A quarantine also doesn't have to be only FIFO. It can have some randomization too.

Replying to

and

Consider having a sensitive conversation with someone in an encrypted messenger with ephemeral messages and then switching to other things with the app idling in the background. Alternatively, doing some browsing in Tor, closing tabs as you go. Later, the device is compromised.

Replying to

and

It's a form of harm reduction, opportunistically eliminating lots of sensitive data sooner rather than later. Doing it for pages in the kernel is cheap since they're usually zeroed on allocation. In that case, it's more about purging sensitive data sooner than exploit mitigation.

2:19 AM · May 10, 2019Twitter Web Client

Replying to

I see. Thanks! So it's a different type of protection. Hopefully I will not open Tor after the compromise ever again :)