Inferencium/doc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
doc/security/hardened_malloc.adoc

2.6 KiB
Raw Blame History

GrapheneOS hardened_malloc

Version: 0.1.1.13

This documentation contains instructions to use GrapheneOS hardened_malloc memory allocator as the systems default memory allocator. These instructions apply to both musl and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can also be used per-application and/or per-user, in which case root permissions are not required; this documentation focuses on system-wide usage of hardened_malloc, assumes root privileges, and assumes the compiled library will be located in a path readable by all users of the system.

Increase Permitted Amount of Memory Pages

Add vm.max_map_count = 1048576 to /etc/sysctl.conf to accommodate hardened_mallocs large amount of guard pages.

Clone hardened_malloc Source Code

Enter hardened_malloc Local Git Repository

$ cd hardened_malloc/

Compile hardened_malloc

$ make <arguments>

CONFIG_N_ARENA=n can be adjusted to increase parallel performance at the expense of memory usage, or decrease memory usage at the expense of parallel performance, where n is an integer. Higher values prefer parallel performance, lower values prefer lower memory usage. The number of arenas has no impact on the security properties of hardened_malloc.

  • Minimum number of arenas: 1

  • Maximum number of arenas: 256

For extra security, CONFIG_SEAL_METADATA=true can be used in order to control whether Memory Protection Keys are used to disable access to all writable allocator state outside of the memory allocator code. Its currently disabled by default due to a significant performance cost for this use case on current generation hardware. Whether or not this feature is enabled, the metadata is all contained within an isolated memory region with high entropy random guard regions around it.

For low-memory systems, VARIANT=light can be used to compile the light variant of hardened_malloc, which sacrifices some security for much less memory usage.

For all compile-time options, see the configuration section of hardened_mallocs extensive official documentation.

Copy Compiled hardened_malloc Library

# cp out/libhardened_malloc.so <target_path>

Set System to Preload hardened_malloc on Boot

musl-based systems: Add export LD_PRELOAD="<hardened_malloc_path>" to /etc/environment

glibc-based systems: Add <hardened_malloc_path> to /etc/ld.so.preload