website/documentation/hardened_malloc.xhtml

<!DOCTYPE html>

<!-- Inferencium - Website - Documentation - hardened_malloc -->
<!-- Version: 3.0.0 -->

<!-- Copyright 2023 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause -->


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
		<head>
				<meta charset="utf-8"/>
				<meta name="viewport" content="width=device-width, initial-scale=1"/>
				<link rel="stylesheet" href="../main.css"/>
				<title>Inferencium - Documentation - hardened_malloc</title>
		</head>
		<body>
				<nav class="navbar">
						<div><a href="../index.xhtml"><img src="../asset/img/logo-inferencium-no_text.png" width="110" height="110" alt="Inferencium logo"/></a></div>
						<div><a href="../index.xhtml" class="title">Inferencium</a></div>
						<div><a href="../about.xhtml">About</a></div>
						<div><a href="../documentation.xhtml">Documentation</a></div>
						<div><a href="../source.xhtml">Source</a></div>
						<div><a href="../changelog.xhtml">Changelog</a></div>
						<div><a href="../blog.xhtml">Blog</a></div>
						<div><a href="../contact.xhtml">Contact</a></div>
						<div><a href="../directory.xhtml">Directory</a></div>
						<div><a href="../key.xhtml">Key</a></div>
				</nav>
				<h1 id="hardened_malloc"><a href="#hardened_malloc">Documentation - hardened_malloc</a></h1>
						<section id="introduction">
										<p>This documentation contains instructions to use
										<a href="https://github.com/GrapheneOS/hardened_malloc">hardened_malloc</a>
										memory allocator as the system's default memory allocator. These instructions
										apply to both musl and glibc C libraries on Unix-based and Unix-like
										systems.</p>
										<p>hardened_malloc can also be used per-application and/or per-user, in which
										case root permissions are not required; this documentation focuses on
										system-wide usage of hardened_malloc, assumes root privileges, and assumes the
										compiled library will be located in a path readable and executable by all users
										of the system.</p>
										<p>For the complete hardened_malloc documentation, visit its
										<a href="https://github.com/GrapheneOS/hardened_malloc#hardened_malloc">official documentation</a>.</p>
										<p>This documentation is also available in portable AsciiDoc format in my
										<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/hardened_malloc.adoc">documentation source code repository</a>.</p>
						</section>
						<nav id="toc">
								<h2><a href="#toc">Table of Contents</a></h2>
										<ul>
												<li><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></li>
												<li><a href="#clone_source_code">Clone hardened_malloc Source Code</a></li>
												<li><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></li>
												<li><a href="#compile">Compile hardened_malloc</a></li>
												<li><a href="#copy_library">Copy Compiled hardened_malloc Library</a></li>
												<li><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></li>
										</ul>
						</nav>
						<section id="memory_pages">
								<h2><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></h2>
										<p>Add <code>vm.max_map_count = 1048576</code> to
										<code>/etc/sysctl.conf</code> to accommodate hardened_malloc's large amount of
										guard pages.</p>
						</section>
						<section id="clone_source_code">
								<h2><a href="#clone_source_code">Clone hardened_malloc Source Code</a></h2>
										<p><code>$ git clone https://github.com/GrapheneOS/hardened_malloc.git</code></p>
						</section>
						<section id="enter_local_repository">
								<h2><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></h2>
										<p><code>$ cd hardened_malloc/</code></p>
						</section>
						<section id="compile">
								<h2><a href="#compile">Compile hardened_malloc</a></h2>
										<p><code>$ make <var>&lt;arguments&gt;</var></code></p>
										<p><code>CONFIG_N_ARENA=<var>n</var></code> can be adjusted to increase parallel
										performance at the expense of memory usage, or decrease memory usage at the
										expense of parallel performance, where <code><var>n</var></code> is a
										non-negative integer. Higher values prefer parallel performance, whereas lower
										values prefer lower memory usage. Note that having too many arenas may cause
										memory fragmentation and decrease system performance. The number of arenas has
										no impact on the security properties of hardened_malloc.</p>
										<table align="center">
												<thead>
														<tr>
																<th id="arena-min">Minimum</th>
																<th id="arena-max">Maximum</th>
																<th id="arena-def">Default</th>
														</tr>
												</thead>
												<tbody>
														<tr>
																<td headers="arena-min">1</td>
																<td headers="arena-max">256</td>
																<td headers="arena-def">4</td>
														</tr>
												</tbody>
										</table>
										<p>For extra security, <code>CONFIG_SEAL_METADATA=true</code> can be used in
										order to control whether
										<a href="https://www.kernel.org/doc/html/v6.7/core-api/protection-keys.html">Memory Protection Keys</a>
										are used to disable access to all writable allocator state outside of the memory
										allocator code. It's currently disabled by default due to a significant
										performance cost for this use case on current-generation hardware. Whether or
										not this feature is enabled, the metadata is all contained within an isolated
										memory region with high-entropy random guard regions around it.</p>
										<p>For low-memory systems, <code>VARIANT=light</code> can be used to compile the
										light variant of hardened_malloc, which sacrifices some security for much less
										memory usage. This option still produces a more hardened memory allocator than
										both the default musl and glibc allocators, despite the security sacrifices over
										the full variant.</p>
										<p>For all compile-time options, see the
										<a href="https://github.com/GrapheneOS/hardened_malloc#configuration">configuration section</a>
										of hardened_malloc's extensive official documentation.</p>
						</section>
						<section id="copy_library">
								<h2><a href="#copy_library">Copy Compiled hardened_malloc Library</a></h2>
										<p><code># cp out/libhardened_malloc.so <var>&lt;target path&gt;</var></code></p>
						</section>
						<section id="preload_on_boot">
								<h2><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></h2>
										<p><b>musl-based systems:</b> Add
										<code>LD_PRELOAD=<var>&lt;hardened_malloc path&gt;</var></code> to
										<code>/etc/environment</code></p>
										<p><b>glibc-based systems:</b> Add
										<code><var>&lt;hardened_malloc path&gt;</var></code> to
										<code>/etc/ld.so.preload</code></p>
						</section>
		</body>
</html>
Add webpage "Documentation - hardened_malloc" version 1.0.0+5 2023-10-07 05:57:52 +01:00			`<!DOCTYPE html>`

Update webpage "Documentation - hardened_malloc" from version "2.0.0" to "3.0.0" 2024-01-30 22:25:56 +00:00			`<!-- Inferencium - Website - Documentation - hardened_malloc -->`
			`<!-- Version: 3.0.0 -->`
Add webpage "Documentation - hardened_malloc" version 1.0.0+5 2023-10-07 05:57:52 +01:00
			`<!-- Copyright 2023 Jake Winters -->`
			`<!-- SPDX-License-Identifier: BSD-3-Clause -->`


Update webpage "Documenation - hardened_malloc" from version "1.1.0" to "2.0.0" 2024-01-15 05:51:02 +00:00			`<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">`
Add webpage "Documentation - hardened_malloc" version 1.0.0+5 2023-10-07 05:57:52 +01:00			`<head>`
Update webpage "Documentation - hardened_malloc" from version 1.0.2+21 to 1.0.3 2023-11-16 21:38:08 +00:00			`<meta charset="utf-8"/>`
			`<meta name="viewport" content="width=device-width, initial-scale=1"/>`
			`<link rel="stylesheet" href="../main.css"/>`
Update webpage "Documentation - hardened_malloc" from version "2.0.0" to "3.0.0" 2024-01-30 22:25:56 +00:00			`<title>Inferencium - Documentation - hardened_malloc</title>`
Add webpage "Documentation - hardened_malloc" version 1.0.0+5 2023-10-07 05:57:52 +01:00			`</head>`
			`<body>`
Update webpage "Documentation - hardened_malloc" from version 1.0.3 to 1.1.0 2023-11-24 01:40:36 +00:00			`<nav class="navbar">`
Update webpage "Documentation - hardened_malloc" from version "2.0.0" to "3.0.0" 2024-01-30 22:25:56 +00:00			`<div><a href="../index.xhtml"><img src="../asset/img/logo-inferencium-no_text.png" width="110" height="110" alt="Inferencium logo"/></a></div>`
Update webpage "Documenation - hardened_malloc" from version "1.1.0" to "2.0.0" 2024-01-15 05:51:02 +00:00			`<div><a href="../index.xhtml" class="title">Inferencium</a></div>`
			`<div><a href="../about.xhtml">About</a></div>`
			`<div><a href="../documentation.xhtml">Documentation</a></div>`
			`<div><a href="../source.xhtml">Source</a></div>`
			`<div><a href="../changelog.xhtml">Changelog</a></div>`
Update webpage "Documentation - hardened_malloc" from version "2.0.0" to "3.0.0" 2024-01-30 22:25:56 +00:00			`<div><a href="../blog.xhtml">Blog</a></div>`
			`<div><a href="../contact.xhtml">Contact</a></div>`
Update webpage "Documenation - hardened_malloc" from version "1.1.0" to "2.0.0" 2024-01-15 05:51:02 +00:00			`<div><a href="../directory.xhtml">Directory</a></div>`
Update webpage "Documentation - hardened_malloc" from version "2.0.0" to "3.0.0" 2024-01-30 22:25:56 +00:00			`<div><a href="../key.xhtml">Key</a></div>`
Update webpage "Documentation - hardened_malloc" from version 1.0.2+21 to 1.0.3 2023-11-16 21:38:08 +00:00			`</nav>`
Update webpage "Documentation - hardened_malloc" from version "2.0.0" to "3.0.0" 2024-01-30 22:25:56 +00:00			`<h1 id="hardened_malloc"><a href="#hardened_malloc">Documentation - hardened_malloc</a></h1>`
			`<section id="introduction">`
			`<p>This documentation contains instructions to use`
			`<a href="https://github.com/GrapheneOS/hardened_malloc">hardened_malloc</a>`
			`memory allocator as the system's default memory allocator. These instructions`
			`apply to both musl and glibc C libraries on Unix-based and Unix-like`
			`systems.</p>`
			`<p>hardened_malloc can also be used per-application and/or per-user, in which`
			`case root permissions are not required; this documentation focuses on`
			`system-wide usage of hardened_malloc, assumes root privileges, and assumes the`
			`compiled library will be located in a path readable and executable by all users`
			`of the system.</p>`
			`<p>For the complete hardened_malloc documentation, visit its`
			`<a href="https://github.com/GrapheneOS/hardened_malloc#hardened_malloc">official documentation</a>.</p>`
			`<p>This documentation is also available in portable AsciiDoc format in my`
			`<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/hardened_malloc.adoc">documentation source code repository</a>.</p>`
			`</section>`
			`<nav id="toc">`
			`<h2><a href="#toc">Table of Contents</a></h2>`
			`<ul>`
			`<li><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></li>`
			`<li><a href="#clone_source_code">Clone hardened_malloc Source Code</a></li>`
			`<li><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></li>`
			`<li><a href="#compile">Compile hardened_malloc</a></li>`
			`<li><a href="#copy_library">Copy Compiled hardened_malloc Library</a></li>`
			`<li><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></li>`
			`</ul>`
			`</nav>`
			`<section id="memory_pages">`
			`<h2><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></h2>`
			`<p>Add <code>vm.max_map_count = 1048576</code> to`
			`<code>/etc/sysctl.conf</code> to accommodate hardened_malloc's large amount of`
			`guard pages.</p>`
			`</section>`
			`<section id="clone_source_code">`
			`<h2><a href="#clone_source_code">Clone hardened_malloc Source Code</a></h2>`
			`<p><code>$ git clone https://github.com/GrapheneOS/hardened_malloc.git</code></p>`
			`</section>`
			`<section id="enter_local_repository">`
			`<h2><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></h2>`
			`<p><code>$ cd hardened_malloc/</code></p>`
			`</section>`
			`<section id="compile">`
			`<h2><a href="#compile">Compile hardened_malloc</a></h2>`
			`<p><code>$ make <var><arguments></var></code></p>`
			`<p><code>CONFIG_N_ARENA=<var>n</var></code> can be adjusted to increase parallel`
			`performance at the expense of memory usage, or decrease memory usage at the`
			`expense of parallel performance, where <code><var>n</var></code> is a`
			`non-negative integer. Higher values prefer parallel performance, whereas lower`
			`values prefer lower memory usage. Note that having too many arenas may cause`
			`memory fragmentation and decrease system performance. The number of arenas has`
			`no impact on the security properties of hardened_malloc.</p>`
			`<table align="center">`
			`<thead>`
			`<tr>`
			`<th id="arena-min">Minimum</th>`
			`<th id="arena-max">Maximum</th>`
			`<th id="arena-def">Default</th>`
			`</tr>`
			`</thead>`
			`<tbody>`
			`<tr>`
			`<td headers="arena-min">1</td>`
			`<td headers="arena-max">256</td>`
			`<td headers="arena-def">4</td>`
			`</tr>`
			`</tbody>`
			`</table>`
			`<p>For extra security, <code>CONFIG_SEAL_METADATA=true</code> can be used in`
			`order to control whether`
			`<a href="https://www.kernel.org/doc/html/v6.7/core-api/protection-keys.html">Memory Protection Keys</a>`
			`are used to disable access to all writable allocator state outside of the memory`
			`allocator code. It's currently disabled by default due to a significant`
			`performance cost for this use case on current-generation hardware. Whether or`
			`not this feature is enabled, the metadata is all contained within an isolated`
			`memory region with high-entropy random guard regions around it.</p>`
			`<p>For low-memory systems, <code>VARIANT=light</code> can be used to compile the`
			`light variant of hardened_malloc, which sacrifices some security for much less`
			`memory usage. This option still produces a more hardened memory allocator than`
			`both the default musl and glibc allocators, despite the security sacrifices over`
			`the full variant.</p>`
			`<p>For all compile-time options, see the`
			`<a href="https://github.com/GrapheneOS/hardened_malloc#configuration">configuration section</a>`
			`of hardened_malloc's extensive official documentation.</p>`
			`</section>`
			`<section id="copy_library">`
			`<h2><a href="#copy_library">Copy Compiled hardened_malloc Library</a></h2>`
			`<p><code># cp out/libhardened_malloc.so <var><target path></var></code></p>`
			`</section>`
			`<section id="preload_on_boot">`
			`<h2><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></h2>`
			`<p><b>musl-based systems:</b> Add`
			`<code>LD_PRELOAD=<var><hardened_malloc path></var></code> to`
			`<code>/etc/environment</code></p>`
			`<p><b>glibc-based systems:</b> Add`
			`<code><var><hardened_malloc path></var></code> to`
			`<code>/etc/ld.so.preload</code></p>`
			`</section>`
Add webpage "Documentation - hardened_malloc" version 1.0.0+5 2023-10-07 05:57:52 +01:00			`</body>`
			`</html>`