[tor-bugs] #10281 [Applications/Tor Browser]: Investigate usage of alternate memory allocators and memory hardening options
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Sep 9 04:10:39 UTC 2016
#10281: Investigate usage of alternate memory allocators and memory hardening
options
-------------------------------------------------+-------------------------
Reporter: mikeperry | Owner:
Type: enhancement | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security, tbb-hardened, | Actual Points:
TorBrowserTeam201609 |
Parent ID: | Points:
Reviewer: | Sponsor:
| SponsorU
-------------------------------------------------+-------------------------
Comment (by waxmiguel):
Replying to [ticket:10281 mikeperry]:
> One thing we can do to improve security of TBB is to build it with an
alternate semi-hardened malloc implementation that attempts to randomize
the allocation pattern and performs some minimal checks to guard against
heap overflows an reference count issues in Firefox (perhaps by also
enabling some additional reference count debugging features already in
Firefox).
>
> Such allocator behavior may make exploitation of various use-after-free
vulnerabilities more difficult, as it would be harder to predict the
location of reallocated regions during exploitation in order to get a
target object to overlay an incorrectly freed object.
>
> The downside is this will likely come at the performance costs of loss
of locality, increased fragmentation, and additional overhead of reference
count checks, but this may be an acceptable cost for improved hardening
against exploits.
>
> The first question is: are there any existing drop-in replacement memory
allocators we can use in place of Firefox's current jemalloc
implementation?
>
> The second question is will any of the Firefox refcounting checks
actually help, or will they just increase runtime for no real benefit?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10281#comment:28>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list