Re: hardened memory allocate port to linux-fedora system for secutiry

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/26/22 12:22, Daniel Micay via devel wrote:
> Also, you hardened_malloc doesn't use a thread cache for security
> reasons. It invalidates many of the security properties. If you compare
> to glibc malloc in the light configuration with tcache disabled in glibc
> malloc it will compare well, and hardened_malloc can scale better when
> given enough arenas. If you want to make the substantial security
> sacrifices required for a traditional thread cache, then I don't think
> hardened_malloc makes sense, which is why it doesn't include the option
> to do thread caching even though it'd be easy to implement. It may one
> day include the option to do thread batched allocation, but it isn't
> feasible to do it for deallocation without losing a ton of the strong
> security properties.

I'm an upstream glibc developer, but I've tried to remove my bias here and present
the facts as they are for the existing heap-based allocator that is in use by the
distributions today and why it's hard to change.

(1) Pick your own allocator vs. use the default.

We allow any end user to make those choices by interposing the final allocator with
an allocator of their choice depending on specific workload criteria. This means
that distributions don't have a strong incentive to change system allocators unless
they are making a strategic change in their core values or vision for the distribution
(like Graphene OS makes for security).

At the ELF level we make sure that we can interpose a new allocator, and we work
carefully to ensure that newer features at the compiler level can be supported
incrementally (_FORTIFIY_SOURCE=3 and __builtin_dynamic_object_size) by newer
allocators.

In summary: If the "good enough" allocator doesn't meet your requirements, then
            you can use one of the alternatives.

(2) Switching the default vs. improving the default.

It is arguably lower TCO for all distributions using glibc to improve glibc's
malloc. Some improvements can't be made, but some buy enough benefit that there
is no strong reason to change allocators.

For example:
- jemalloc/tcmalloc used a fast per-thread cache.
  - glibc implemented fast per-thread caching in 2.26 (2017) (DJ Delorie's work)

- Chromium started using safe-linking pointer hardening.
  - glibc implemented safe-linking pointer hardening for fastbins and tcache (2020) (Eyal Itkin's work)

Next steps for glibc's malloc is probably:

- Improve internal fragmentation [1]
- Round-robin arena assignment with uniform arena assignment as a goal.
- Provide a packed arena for sub 16-byte sized allocations to improve utilization.
 - We have seen some C++ workloads/frameworks that create trillions of 13-byte objects.

(3) Requirements vs. change.

While Facebook/BSD (jemalloc), Google (tcmalloc), Microsoft (mimalloc) have very
good allocators, issues seen with those allocators can be more difficult to
correct because of the impact those changes have on wider workloads beyond
distribution workloads.

For example if Graphene OS, with it's own goals, and Fedora with it's own goals
had a conflict of interest for the direction of the allocator e.g. cost vs.
security, what kind of choice would the hardened_allocator maintainers make?

Upstream glibc has largely been aligned with traditional distribution
requirements for a long time, and continues to be aligned with the notion
of a "general purpose" distribution via the contributors and deep network
of developers in the distributions:
https://sourceware.org/glibc/wiki/MAINTAINERS#Distribution_Maintainers

---

The combination of (1), (2) and (3) mean that for general purpose
distributions the choice of staying with glibc's malloc means having
an ecosystem of distributions that are using the same allocator and
benefit from wide application testing and development and support
when required.

It would be easier to approach glibc upstream and convince them that the
default allocator in glibc should be replaced with hardened_alloc or
jemalloc or tcmalloc or mimalloc...

-- 
Cheers,
Carlos.

[1] https://patchwork.sourceware.org/project/glibc/patch/xn4jz19fts.fsf@xxxxxxxxxxxxxxxxx/
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux