Inferencium/website
1
0
Fork 0
Code Issues Activity
website/documentation/hardened_malloc.html

118 lines
6.4 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<!-- Inferencium - Website - Documentation - GrapheneOS hardened_malloc -->
<!-- Copyright 2023 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause -->
<!-- Version: 1.0.3-alpha.1 -->
<html>
<head>
<title>Inferencium - Documentation - GrapheneOS hardened_malloc</title>
<link rel="stylesheet" href=../main.css>
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- Navigation bar -->
<div class="nav">
<div><a href="../index.html"><img src="../asset/img/logo-inferencium-no_text.png" width="110px" height="110px"></a></div>
<div><a href="../index.html" class="title">Inferencium</a></div>
<div><a href="../about.html">About</a></div>
<div><a href="../contact.html">Contact</a></div>
<div><a href="../blog.html">Blog</a></div>
<div><a href="../documentation.html">Documentation</a></div>
<div><a href="../source.html">Source</a></div>
<div><a href="../key.html">Key</a></div>
<div><a href="../changelog.html">Changelog</a></div>
</div>
<section id="introduction">
<h1 id="introduction"><a href="#introduction">Documentation - GrapheneOS hardened_malloc</a></h1>
<p>This documentation contains instructions to use
<a href="https://github.com/GrapheneOS/hardened_malloc">GrapheneOS hardened_malloc</a>
memory allocator as the system's default memory allocator. These instructions apply to
both musl and glibc C libraries on Unix-based and Unix-like systems. hardened_malloc can
also be used per-application and/or per-user, in which case root permissions are not
required; this documentation focuses on system-wide usage of hardened_malloc, assumes
root privileges, and assumes the compiled library will be located in a path readable by
all users of the system.</p>
<p>For the complete hardened_malloc documentation, visit its
<a href="https://github.com/GrapheneOS/hardened_malloc#hardened_malloc">official documentation</a>.</p>
<p>This documentation is also available in portable AsciiDoc format in my
<a href="https://src.inferencium.net/Inferencium/doc/src/branch/stable/security/hardened_malloc.adoc">documentation source code repository</a>.
</section>
<!-- Table of contents -->
<section id="toc">
<h2 id="toc"><a href="#toc">Table of Contents<a/></h2>
<ul>
<li><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></li>
<li><a href="#clone_source_code">Clone hardened_malloc Source Code</a></li>
<li><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></li>
<li><a href="#compile">Compile hardened_malloc</a></li>
<li><a href="#copy_library">Copy Compiled hardened_malloc Library</a></li>
<li><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></li>
</ul>
</section>
<section id="memory_pages">
<h2 id="memory_pages"><a href="#memory_pages">Increase Permitted Amount of Memory Pages</a></h2>
<p>Add <code>vm.max_map_count = 1048576</code> to
<code>/etc/sysctl.conf</code> to accommodate hardened_malloc's large
amount of guard pages.</p>
</section>
<section id="clone_source_code">
<h2 id="clone_source_code"><a href="#clone_source_code">Clone hardened_malloc Source Code</a></h2>
<p><code>$ git clone https://github.com/GrapheneOS/hardened_malloc.git</code></p>
</section>
<section id="enter_local_repository">
<h2 id="enter_local_repository"><a href="#enter_local_repository">Enter hardened_malloc Local Git Repository</a></h2>
<p><code>$ cd hardened_malloc/</code></p>
</section>
<section id="compile">
<h2 id="compile"><a href="#compile">Compile hardened_malloc</a></h2>
<p><p><code>$ make <var>&lt;arguments&gt;</var></code></p>
<p><code>CONFIG_N_ARENA=<var>n</var></code> can be adjusted to increase
parallel performance at the expense of memory usage, or decrease memory
usage at the expense of parallel performance, where <var>n</var> is an
integer. Higher values prefer parallel performance, lower values prefer
lower memory usage. The number of arenas has no impact on the security
properties of hardened_malloc.
<ul>
<li>Minimum number of arenas: 1</li>
<li>Maximum number of arenas: 256</li>
</ul>
<p>For extra security, <code>CONFIG_SEAL_METADATA=true</code> can be
used in order to control whether Memory Protection Keys are used to
disable access to all writable allocator state outside of the memory
allocator code. It's currently disabled by default due to a significant
performance cost for this use case on current generation hardware.
Whether or not this feature is enabled, the metadata is all contained
within an isolated memory region with high entropy random guard regions
around it.</p>
<p>For low-memory systems, <code>VARIANT=light</code> can be used to
compile the light variant of hardened_malloc, which sacrifices some
security for much less memory usage.</p>
<p>For all compile-time options, see the
<a href="https://github.com/GrapheneOS/hardened_malloc#configuration">configuration section</a>
of hardened_malloc's extensive official documentation.</p>
</section>
<section id="copy_library">
<h2 id="copy_library"><a href="#copy_library">Copy Compiled hardened_malloc Library</a></h2>
<p><code># cp out/libhardened_malloc.so <var>&lt;target path&gt;</var></code></p>
</section>
<section id="preload_on_boot">
<h2 id="preload_on_boot"><a href="#preload_on_boot">Set System to Preload hardened_malloc on Boot</a></h2>
<p>
<ul>
<li>musl-based systems: Add
<code>export LD_PRELOAD="<var>&lt;hardened_malloc path&gt;</var>"</code>
to <code>/etc/environment</code></li>
<li>glibc-based systems:
Add <code><var>&lt;hardened_malloc path&gt;</var></code> to
<code>/etc/ld.so.preload</code></li>
</ul>
</p>
</section>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink