isoalloc icon indicating copy to clipboard operation
isoalloc copied to clipboard

Published 20 hours ago verified publisher icon struct

Consider a design similar to Chrome's MiraclePtr to mitigate UAF

Open jvoisin opened this issue 3 years ago • 3 comments

Chrome recently published their approach to mitigate UAF, and it does look decent and proper.

Do we want to use a similar approach?

jvoisin avatar Sep 16 '22 14:09 jvoisin

Memory Tagging in IsoAlloc is inspired by one of the Miracle Ptr proposals MTECheckedPtr. In order to build a BackupRefPtr on top of IsoAlloc you'd just need to implement a segment of memory that stored ref count meta data similar to how I did it in the memory tagging support. Shipping something like this with IsoAlloc would be pretty straight forward.

Another approach could also be considered where IsoAlloc has generic API's that allow you to store metadata per pointer which would allow you to build all kinds of smart pointer types, but in the general case it would be less performant than something that was tightly coupled to the allocator.

struct avatar Sep 17 '22 18:09 struct

BackupRefPtr documentation

struct avatar Sep 17 '22 19:09 struct

Shipping something like this with IsoAlloc would be pretty straight forward.

If such a primitive would be adopted, it would render the whole quarantine mechanism redundant I think.

jvoisin avatar Sep 17 '22 19:09 jvoisin