Inferencium/website
1
0
Fork 0
Code Issues Activity

Update webpage "Documentation - hardened_malloc" from version "5.0.0-beta.1" to "5.0.1-beta.1"

Browse Source
This commit is contained in:
inference 2024-03-18 02:50:35 +00:00
parent 28542a450e
commit c2e6de397e
Signed by: inference
SSH Key Fingerprint: SHA256:FtEVfx1CmTKMy40VwZvF4k+3TC+QhCWy+EmPRg50Nnc
1 changed files with 115 additions and 123 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

238
documentation/hardened_malloc.xhtml
View File

@ -1,133 +1,125 @@
<!DOCTYPE html> <!DOCTYPE html>
<!-- Inferencium - Website - Documentation - hardened_malloc --> <!-- Inferencium - Website - Documentation - hardened_malloc -->
<!-- Version: 5.0.0-beta.1 --> <!-- Version: 5.0.1-beta.1 -->
<!-- Copyright 2023 Jake Winters --> <!-- Copyright 2023 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause --> <!-- SPDX-License-Identifier: BSD-3-Clause -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head> <head>
<meta charset="utf-8"/> <meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/> <meta name="viewport" content="width=device-width, initial-scale=1"/>
<link rel="stylesheet" href="../main.css"/> <link rel="stylesheet" href="../main.css"/>
<link rel="icon shortcut" href="../asset/img/logo/inferencium-notext.png"/> <link rel="icon shortcut" href="../asset/img/logo/inferencium-notext.png"/>
<title>Inferencium - Documentation - hardened_malloc</title> <title>Inferencium - Documentation - hardened_malloc</title>
</head> </head>
<body> <body>
<nav class="navbar"> <nav class="navbar">
<div class="logo"><a href="../index.xhtml"><img src="../asset/img/logo/inferencium-notext.png" alt="Inferencium logo"/></a></div> <div class="logo"><a href="../index.xhtml"><img src="../asset/img/logo/inferencium-notext.png" alt="Inferencium logo"/></a></div>
<div class="title"><a href="../index.xhtml">Inferencium</a></div> <div class="title"><a href="../index.xhtml">Inferencium</a></div>
<div><a href="../about.xhtml">About</a></div> <div><a href="../about.xhtml">About</a></div>
<div><a href="../news.xhtml">News</a></div> <div><a href="../news.xhtml">News</a></div>
<div><a href="../documentation.xhtml">Documentation</a></div> <div><a href="../documentation.xhtml">Documentation</a></div>
<div><a href="../source.xhtml">Source</a></div> <div><a href="../source.xhtml">Source</a></div>
<div><a href="../changelog.xhtml">Changelog</a></div> <div><a href="../changelog.xhtml">Changelog</a></div>
<div><a href="../blog.xhtml">Blog</a></div> <div><a href="../blog.xhtml">Blog</a></div>
<div><a href="../contact.xhtml">Contact</a></div> <div><a href="../contact.xhtml">Contact</a></div>
<div><a href="../directory.xhtml">Directory</a></div> <div><a href="../directory.xhtml">Directory</a></div>
<div><a href="../key.xhtml">Key</a></div> <div><a href="../key.xhtml">Key</a></div>
<div class="sitemap"><a href="../sitemap.xhtml">Sitemap</a></div> <div class="sitemap"><a href="../sitemap.xhtml">Sitemap</a></div>
</nav> </nav>
<h1 id="hardened_malloc"><a href="#hardened_malloc">Documentation - hardened_malloc</a></h1> <h1 id="hardened_malloc"><a href="#hardened_malloc">Documentation - hardened_malloc</a></h1>
<section id="introduction"> <section id="introduction">
<p>This documentation contains instructions to use <p>This documentation contains instructions to use
<a href="https://github.com/GrapheneOS/hardened_malloc">hardened_malloc</a> <a href="https://github.com/GrapheneOS/hardened_malloc">hardened_malloc</a>
memory allocator as the system's default memory allocator. These instructions memory allocator as the system's default memory allocator. These instructions apply to both musl and
apply to both musl and glibc C libraries on Unix-based and Unix-like glibc C libraries on Unix-based and Unix-like systems.</p>
systems.</p> <p>hardened_malloc can also be used per-application and/or per-user, in which case root permissions are
<p>hardened_malloc can also be used per-application and/or per-user, in which not required; this documentation focuses on system-wide usage of hardened_malloc, assumes root
case root permissions are not required; this documentation focuses on privileges, and assumes the compiled library will be located in a path readable and executable by all
system-wide usage of hardened_malloc, assumes root privileges, and assumes the users of the system.</p>
compiled library will be located in a path readable and executable by all users <p>For the complete hardened_malloc documentation, visit its
of the system.</p> <a href="https://github.com/GrapheneOS/hardened_malloc#hardened_malloc">official documentation</a>.</p>
<p>For the complete hardened_malloc documentation, visit its <p>This documentation is also available in portable AsciiDoc format in my
<a href="https://github.com/GrapheneOS/hardened_malloc#hardened_malloc">official documentation</a>.</p> <a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/hardened_malloc.adoc">documentation source code repository</a>.</p>
<p>This documentation is also available in portable AsciiDoc format in my </section>
<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/hardened_malloc.adoc">documentation source code repository</a>.</p> <nav id="toc">
</section> <h2><a href="#toc">Table of Contents</a></h2>
<nav id="toc"> <ul>
<h2><a href="#toc">Table of Contents</a></h2> <li><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></li>
<ul> <li><a href="#clone_source_code">Clone hardened_malloc Source Code</a></li>
<li><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></li> <li><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></li>
<li><a href="#clone_source_code">Clone hardened_malloc Source Code</a></li> <li><a href="#compile">Compile hardened_malloc</a></li>
<li><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></li> <li><a href="#copy_library">Copy Compiled hardened_malloc Library</a></li>
<li><a href="#compile">Compile hardened_malloc</a></li> <li><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></li>
<li><a href="#copy_library">Copy Compiled hardened_malloc Library</a></li> </ul>
<li><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></li> </nav>
</ul> <section id="memory_pages">
</nav> <h2><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></h2>
<section id="memory_pages"> <p>Add <code>vm.max_map_count = 1048576</code> to <code>/etc/sysctl.conf</code> to accommodate
<h2><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></h2> hardened_malloc's large amount of guard pages.</p>
<p>Add <code>vm.max_map_count = 1048576</code> to </section>
<code>/etc/sysctl.conf</code> to accommodate hardened_malloc's large amount of <section id="clone_source_code">
guard pages.</p> <h2><a href="#clone_source_code">Clone hardened_malloc Source Code</a></h2>
</section> <p><code>$ git clone https://github.com/GrapheneOS/hardened_malloc.git</code></p>
<section id="clone_source_code"> </section>
<h2><a href="#clone_source_code">Clone hardened_malloc Source Code</a></h2> <section id="enter_local_repository">
<p><code>$ git clone https://github.com/GrapheneOS/hardened_malloc.git</code></p> <h2><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></h2>
</section> <p><code>$ cd hardened_malloc/</code></p>
<section id="enter_local_repository"> </section>
<h2><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></h2> <section id="compile">
<p><code>$ cd hardened_malloc/</code></p> <h2><a href="#compile">Compile hardened_malloc</a></h2>
</section> <p><code>$ make <var>&lt;arguments&gt;</var></code></p>
<section id="compile"> <p><code>CONFIG_N_ARENA=<var>n</var></code> can be adjusted to increase parallel performance at the
<h2><a href="#compile">Compile hardened_malloc</a></h2> expense of memory usage, or decrease memory usage at the expense of parallel performance, where
<p><code>$ make <var>&lt;arguments&gt;</var></code></p> <code><var>n</var></code> is a non-negative integer. Higher values prefer parallel performance,
<p><code>CONFIG_N_ARENA=<var>n</var></code> can be adjusted to increase parallel whereas lower values prefer lower memory usage. Note that having too many arenas may cause memory
performance at the expense of memory usage, or decrease memory usage at the fragmentation and decrease system performance. The number of arenas has no impact on the security
expense of parallel performance, where <code><var>n</var></code> is a properties of hardened_malloc.</p>
non-negative integer. Higher values prefer parallel performance, whereas lower <table align="center">
values prefer lower memory usage. Note that having too many arenas may cause <thead>
memory fragmentation and decrease system performance. The number of arenas has <tr>
no impact on the security properties of hardened_malloc.</p> <th id="arena-min">Minimum</th>
<table align="center"> <th id="arena-max">Maximum</th>
<thead> <th id="arena-def">Default</th>
<tr> </tr>
<th id="arena-min">Minimum</th> </thead>
<th id="arena-max">Maximum</th> <tbody>
<th id="arena-def">Default</th> <tr>
</tr> <td headers="arena-min">1</td>
</thead> <td headers="arena-max">256</td>
<tbody> <td headers="arena-def">4</td>
<tr> </tr>
<td headers="arena-min">1</td> </tbody>
<td headers="arena-max">256</td> </table>
<td headers="arena-def">4</td> <p>For extra security, <code>CONFIG_SEAL_METADATA=true</code> can be used in order to control
</tr> whether
</tbody> <a href="https://www.kernel.org/doc/html/v6.7/core-api/protection-keys.html">Memory Protection Keys</a>
</table> are used to disable access to all writable allocator state outside of the memory allocator code.
<p>For extra security, <code>CONFIG_SEAL_METADATA=true</code> can be used in It's currently disabled by default due to a significant performance cost for this use case on
order to control whether current-generation hardware. Whether or not this feature is enabled, the metadata is all contained
<a href="https://www.kernel.org/doc/html/v6.7/core-api/protection-keys.html">Memory Protection Keys</a> within an isolated memory region with high-entropy random guard regions around it.</p>
are used to disable access to all writable allocator state outside of the memory <p>For low-memory systems, <code>VARIANT=light</code> can be used to compile the light variant of
allocator code. It's currently disabled by default due to a significant hardened_malloc, which sacrifices some security for much less memory usage. This option still
performance cost for this use case on current-generation hardware. Whether or produces a more hardened memory allocator than both the default musl and glibc allocators, despite
not this feature is enabled, the metadata is all contained within an isolated the security sacrifices over the full variant.</p>
memory region with high-entropy random guard regions around it.</p> <p>For all compile-time options, see the
<p>For low-memory systems, <code>VARIANT=light</code> can be used to compile the <a href="https://github.com/GrapheneOS/hardened_malloc#configuration">configuration section</a>
light variant of hardened_malloc, which sacrifices some security for much less of hardened_malloc's extensive official documentation.</p>
memory usage. This option still produces a more hardened memory allocator than </section>
both the default musl and glibc allocators, despite the security sacrifices over <section id="copy_library">
the full variant.</p> <h2><a href="#copy_library">Copy Compiled hardened_malloc Library</a></h2>
<p>For all compile-time options, see the <p><code># cp out/libhardened_malloc.so <var>&lt;target path&gt;</var></code></p>
<a href="https://github.com/GrapheneOS/hardened_malloc#configuration">configuration section</a> </section>
of hardened_malloc's extensive official documentation.</p> <section id="preload_on_boot">
</section> <h2><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></h2>
<section id="copy_library"> <p><b>musl-based systems:</b> Add <code>LD_PRELOAD=<var>&lt;hardened_malloc path&gt;</var></code> to
<h2><a href="#copy_library">Copy Compiled hardened_malloc Library</a></h2> <code>/etc/environment</code></p>
<p><code># cp out/libhardened_malloc.so <var>&lt;target path&gt;</var></code></p> <p><b>glibc-based systems:</b> Add <code><var>&lt;hardened_malloc path&gt;</var></code> to
</section> <code>/etc/ld.so.preload</code></p>
<section id="preload_on_boot"> </section>
<h2><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></h2> <div class="sitemap-small"><a href="../sitemap.xhtml">Sitemap</a></div>
<p><b>musl-based systems:</b> Add </body>
<code>LD_PRELOAD=<var>&lt;hardened_malloc path&gt;</var></code> to
<code>/etc/environment</code></p>
<p><b>glibc-based systems:</b> Add
<code><var>&lt;hardened_malloc path&gt;</var></code> to
<code>/etc/ld.so.preload</code></p>
</section>
<div class="sitemap-small"><a href="../sitemap.xhtml">Sitemap</a></div>
</body>
</html> </html>