[tor-bugs] #10281 [Applications/Tor Browser]: Investigate usage of alternate memory allocators and memory hardening options

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 9 04:10:39 UTC 2016 

#10281: Investigate usage of alternate memory allocators and memory hardening
options
-------------------------------------------------+-------------------------
 Reporter:  mikeperry                            |          Owner:
     Type:  enhancement                          |         Status:  new
 Priority:  High                                 |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-security, tbb-hardened,          |  Actual Points:
  TorBrowserTeam201609                           |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  SponsorU
-------------------------------------------------+-------------------------

Comment (by waxmiguel):

 Replying to [ticket:10281 mikeperry]:
 > One thing we can do to improve security of TBB is to build it with an
 alternate semi-hardened malloc implementation that attempts to randomize
 the allocation pattern and performs some minimal checks to guard against
 heap overflows an reference count issues in Firefox (perhaps by also
 enabling some additional reference count debugging features already in
 Firefox).
 >
 > Such allocator behavior may make exploitation of various use-after-free
 vulnerabilities more difficult, as it would be harder to predict the
 location of reallocated regions during exploitation in order to get a
 target object to overlay an incorrectly freed object.
 >
 > The downside is this will likely come at the performance costs of loss
 of locality, increased fragmentation, and additional overhead of reference
 count checks, but this may be an acceptable cost for improved hardening
 against exploits.
 >
 > The first question is: are there any existing drop-in replacement memory
 allocators we can use in place of Firefox's current jemalloc
 implementation?
 >
 > The second question is will any of the Firefox refcounting checks
 actually help, or will they just increase runtime for no real benefit?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10281#comment:28>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list