Inferencium/website
1
0
Fork 0
Code Issues Activity

Fix 1st-level heading and section indentation

Browse Source
This commit is contained in:
inference 2024-01-29 20:23:29 +00:00
parent 90911cc33c
commit 67b88c3af1
Signed by: inference
SSH Key Fingerprint: SHA256:FtEVfx1CmTKMy40VwZvF4k+3TC+QhCWy+EmPRg50Nnc
1 changed files with 83 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

162
documentation/hardened_malloc.xhtml
View File

@ -1,7 +1,7 @@
<!DOCTYPE html> <!DOCTYPE html>
<!-- Inferencium - Website - Documentation - hardened_malloc --> <!-- Inferencium - Website - Documentation - hardened_malloc -->
<!-- Version: 3.0.0-alpha.8 --> <!-- Version: 3.0.0-alpha.9 -->
<!-- Copyright 2023 Jake Winters --> <!-- Copyright 2023 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause --> <!-- SPDX-License-Identifier: BSD-3-Clause -->
@ -27,83 +27,87 @@
<div><a href="../directory.xhtml">Directory</a></div> <div><a href="../directory.xhtml">Directory</a></div>
<div><a href="../key.xhtml">Key</a></div> <div><a href="../key.xhtml">Key</a></div>
</nav> </nav>
<section id="introduction"> <h1 id="hardened_malloc"><a href="#hardened_malloc">Documentation - hardened_malloc</a></h1>
<h1 id="introduction"><a href="#introduction">Documentation - hardened_malloc</a></h1> <section id="introduction">
<p>This documentation contains instructions to use <p>This documentation contains instructions to use
<a href="https://github.com/GrapheneOS/hardened_malloc">hardened_malloc</a> <a href="https://github.com/GrapheneOS/hardened_malloc">hardened_malloc</a>
memory allocator as the system's default memory allocator. These instructions apply to memory allocator as the system's default memory allocator. These instructions
both musl and glibc C libraries on Unix-based and Unix-like systems.</p> apply to both musl and glibc C libraries on Unix-based and Unix-like
<p>hardened_malloc can also be used per-application and/or per-user, in which case root systems.</p>
permissions are not required; this documentation focuses on system-wide usage of <p>hardened_malloc can also be used per-application and/or per-user, in which
hardened_malloc, assumes root privileges, and assumes the compiled library will be case root permissions are not required; this documentation focuses on
located in a path readable and executable by all users of the system.</p> system-wide usage of hardened_malloc, assumes root privileges, and assumes the
<p>For the complete hardened_malloc documentation, visit its compiled library will be located in a path readable and executable by all users
<a href="https://github.com/GrapheneOS/hardened_malloc#hardened_malloc">official documentation</a>.</p> of the system.</p>
<p>This documentation is also available in portable AsciiDoc format in my <p>For the complete hardened_malloc documentation, visit its
<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/hardened_malloc.adoc">documentation source code repository</a>.</p> <a href="https://github.com/GrapheneOS/hardened_malloc#hardened_malloc">official documentation</a>.</p>
</section> <p>This documentation is also available in portable AsciiDoc format in my
<nav id="toc"> <a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/hardened_malloc.adoc">documentation source code repository</a>.</p>
<h2 id="toc"><a href="#toc">Table of Contents</a></h2> </section>
<ul> <nav id="toc">
<li><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></li> <h2 id="toc"><a href="#toc">Table of Contents</a></h2>
<li><a href="#clone_source_code">Clone hardened_malloc Source Code</a></li> <ul>
<li><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></li> <li><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></li>
<li><a href="#compile">Compile hardened_malloc</a></li> <li><a href="#clone_source_code">Clone hardened_malloc Source Code</a></li>
<li><a href="#copy_library">Copy Compiled hardened_malloc Library</a></li> <li><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></li>
<li><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></li> <li><a href="#compile">Compile hardened_malloc</a></li>
</ul> <li><a href="#copy_library">Copy Compiled hardened_malloc Library</a></li>
</nav> <li><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></li>
<section id="memory_pages"> </ul>
<h2 id="memory_pages"><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></h2> </nav>
<p>Add <code>vm.max_map_count = 1048576</code> to <section id="memory_pages">
<code>/etc/sysctl.conf</code> to accommodate hardened_malloc's large amount of guard <h2 id="memory_pages"><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></h2>
pages.</p> <p>Add <code>vm.max_map_count = 1048576</code> to
</section> <code>/etc/sysctl.conf</code> to accommodate hardened_malloc's large amount of
<section id="clone_source_code"> guard pages.</p>
<h2 id="clone_source_code"><a href="#clone_source_code">Clone hardened_malloc Source Code</a></h2> </section>
<p><code>$ git clone https://github.com/GrapheneOS/hardened_malloc.git</code></p> <section id="clone_source_code">
</section> <h2 id="clone_source_code"><a href="#clone_source_code">Clone hardened_malloc Source Code</a></h2>
<section id="enter_local_repository"> <p><code>$ git clone https://github.com/GrapheneOS/hardened_malloc.git</code></p>
<h2 id="enter_local_repository"><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></h2> </section>
<p><code>$ cd hardened_malloc/</code></p> <section id="enter_local_repository">
</section> <h2 id="enter_local_repository"><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></h2>
<section id="compile"> <p><code>$ cd hardened_malloc/</code></p>
<h2 id="compile"><a href="#compile">Compile hardened_malloc</a></h2> </section>
<p><code>$ make <var>&lt;arguments&gt;</var></code></p> <section id="compile">
<p><code>CONFIG_N_ARENA=<var>n</var></code> can be adjusted to increase parallel <h2 id="compile"><a href="#compile">Compile hardened_malloc</a></h2>
performance at the expense of memory usage, or decrease memory usage at the expense of <p><code>$ make <var>&lt;arguments&gt;</var></code></p>
parallel performance, where <var>n</var> is an integer. Higher values prefer parallel <p><code>CONFIG_N_ARENA=<var>n</var></code> can be adjusted to increase parallel
performance, whereas lower values prefer lower memory usage. Note that having too many performance at the expense of memory usage, or decrease memory usage at the
arenas may cause memory fragmentation and decrease system performance. The number of expense of parallel performance, where <var>n</var> is an integer. Higher values
arenas has no impact on the security properties of hardened_malloc.</p> prefer parallel performance, whereas lower values prefer lower memory usage.
<p><b>Minimum number of arenas:</b> 1</p> Note that having too many arenas may cause memory fragmentation and decrease
<p><b>Maximum number of arenas:</b> 256</p> system performance. The number of arenas has no impact on the security
<p>For extra security, <code>CONFIG_SEAL_METADATA=true</code> can be used in order to properties of hardened_malloc.</p>
control whether Memory Protection Keys are used to disable access to all writable <p><b>Minimum number of arenas:</b> 1</p>
allocator state outside of the memory allocator code. It's currently disabled by default <p><b>Maximum number of arenas:</b> 256</p>
due to a significant performance cost for this use case on current-generation hardware. <p>For extra security, <code>CONFIG_SEAL_METADATA=true</code> can be used in
Whether or not this feature is enabled, the metadata is all contained within an isolated order to control whether Memory Protection Keys are used to disable access to
memory region with high-entropy random guard regions around it.</p> all writable allocator state outside of the memory allocator code. It's
<p>For low-memory systems, <code>VARIANT=light</code> can be used to compile the light currently disabled by default due to a significant performance cost for this use
variant of hardened_malloc, which sacrifices some security for much less memory case on current-generation hardware. Whether or not this feature is enabled, the
usage. This option still produces a more hardened memory allocator than both the metadata is all contained within an isolated memory region with high-entropy
default musl and glibc allocators, despite the security sacrifices over the full random guard regions around it.</p>
variant.</p> <p>For low-memory systems, <code>VARIANT=light</code> can be used to compile the
<p>For all compile-time options, see the light variant of hardened_malloc, which sacrifices some security for much less
<a href="https://github.com/GrapheneOS/hardened_malloc#configuration">configuration section</a> memory usage. This option still produces a more hardened memory allocator than
of hardened_malloc's extensive official documentation.</p> both the default musl and glibc allocators, despite the security sacrifices over
</section> the full variant.</p>
<section id="copy_library"> <p>For all compile-time options, see the
<h2 id="copy_library"><a href="#copy_library">Copy Compiled hardened_malloc Library</a></h2> <a href="https://github.com/GrapheneOS/hardened_malloc#configuration">configuration section</a>
<p><code># cp out/libhardened_malloc.so <var>&lt;target path&gt;</var></code></p> of hardened_malloc's extensive official documentation.</p>
</section> </section>
<section id="preload_on_boot"> <section id="copy_library">
<h2 id="preload_on_boot"><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></h2> <h2 id="copy_library"><a href="#copy_library">Copy Compiled hardened_malloc Library</a></h2>
<p><b>musl-based systems:</b> Add <p><code># cp out/libhardened_malloc.so <var>&lt;target path&gt;</var></code></p>
<code>export LD_PRELOAD="<var>&lt;hardened_malloc path&gt;</var>"</code> to </section>
<code>/etc/environment</code></p> <section id="preload_on_boot">
<p><b>glibc-based systems:</b> Add <code><var>&lt;hardened_malloc path&gt;</var></code> to <h2 id="preload_on_boot"><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></h2>
<code>/etc/ld.so.preload</code></p> <p><b>musl-based systems:</b> Add
</section> <code>export LD_PRELOAD="<var>&lt;hardened_malloc path&gt;</var>"</code> to
<code>/etc/environment</code></p>
<p><b>glibc-based systems:</b> Add <code><var>&lt;hardened_malloc path&gt;</var></code> to
<code>/etc/ld.so.preload</code></p>
</section>
</body> </body>
</html> </html>