Conversation

I don’t know Zig, like, at all, but I think this page is probably pretty misleading. For instance: it says Zig is susceptible to UAF. But Zig wires its allocator not to reuse address space; if you touch freed memory, you’ll SEGV.

scattered-thoughts.net

How (memory) safe is zig?

Replying to

surely only for allocations large enough to have their own mapping?

Replying to

For the UAF exploit pattern to work, you have to have _reused_ memory.

Replying to

yes, but isn't performance going to be really bad if you never reuse freed memory. you're at the very least going to have a bunch more syscalls?

Replying to

and

Consider a loop that calls malloc(16) and free(16) repeatedly. Normally the allocations will always be in cache. But in an allocator that never reuses memory every new page will miss.

Replying to

and

Indeed this example will be slow, but who calls malloc/free in a hot loop? There's also a much more granular safety story - you could allow some of your trusted dependencies to be compiled in ReleaseFast mode but most of your application in ReleaseSafe.

Replying to

and

We've had a long time to determine the answer to the question of whether it matters in practice that the memory malloc returns is in cache, and the answer is that yes, it does.

Replying to

The state-of-the-art in hardened malloc is

@danielmicay

's github.com/GrapheneOS/har and it does quarantine for large objects only (I think, could be wrong).

github.com

GitHub - GrapheneOS/hardened_malloc: Hardened allocator designed for modern systems. It has...

Hardened allocator designed for modern systems. It has integration into Android's Bionic libc and can be used externally with musl and glibc as a dynamic library for use on other Linux-base...

Replying to

It has optional quarantines for both small and large allocations as separate features. Large means a mmap region with guards. In both cases, it has a random quarantine based on swapping with a random element in an array and a ring buffer as a queue for a deterministic delay.

Replying to

For the large allocation quarantine, it replaces the allocation with fresh PROT_NONE pages so it's essentially a virtual memory quarantine. Either way, it always deterministically detects any invalid free of any pointer that's not a valid non-free, non-quarantined allocation.

Replying to

By default, the configuration is very security centric with all security features enabled other than the somewhat superfluous MPK-based metadata protection. Quarantines are largely separate from the core code other than slab metadata having an extra bitmap for quarantined slots.

7:57 PM · Mar 22, 2021Twitter Web App

Replying to

and

Have you done measurements about the results of quarantining all allocations forever? I'm skeptical but interested in seeing results

Replying to

(One thing I've been learning at BigCo is how much $$$ tiny malloc perf improvements add up to at scale…)

Show replies

Replying to

The large allocation quarantine is extremely cheap since it just turns deallocation from munmap into a MAP_FIXED mmap with PROT_NONE. It also has to start doing munmap as a 2nd system call once the quarantine is filled and old allocations are being pushed out of it.