Okay I'm going to try and clear up a lot of misconceptions and stuff
here. I don't own Firefox's memory allocator but I have worked in it,
recently, and am one of the people who are working on hardening it.
Firefox's memory allocator is not jemalloc. It's probably better
referred to as mozjemalloc. We forked jemalloc and have been improving
it (at least from our perspective.) Any analysis of or comparison to
jemalloc is - at this point - outdated and should be redone from
scratch against mozjemalloc on mozilla-central.
LD_PRELOAD='/path/to/libhardened_malloc.so' /path/to/program will do
nothing or approximately nothing. mozjemalloc uses mmap and low level
allocation tools to create chunks of memory to be used by its internal
memory allocator. To successfully replace Firefox memory allocator you
should either use LD_PRELOAD _with_ a --disable-jemalloc build OR
Firefox's replace_malloc functionality:
https://searchfox.org/mozilla-central/source/memory/build/replace_malloc.h
Fingerprinting: It is most likely possible to be creative enough to
fingerprint what memory allocator is used. If we were to choose from
different allocators at runtime, I don't think that fingerprinting is
the worst thing open to us - it seems likely that any attacker who
does such a attack could also fingerprinting your CPU speed, RAM, and
your ASLR base addresses which depending on OS might not change until
reboot.
The only reason I can think of to choose between allocators at runtime
is to introduce randomness into the allocation strategy. An attacker
relying on a blind overwrite may not be able to position their
overwrite reliably AND it has the cause the process to crash otherwise
they can just try again.
Allocators can introduce randomness themselves, you don't need to
choose between allocators to do that.
In virtually all browser exploits we have seen recently the attacker
creates exploitation primitives that allow partial memory read/write
and then full memory read/write. Randomness introduced is bypassed and
ineffective. I've seen a general trend away from randomness for this
purpose. The exception is when the attacker is heavily constrained -
like exploiting over IPC or in a network protocol. Not when the
attacker has a full Javascript execution environment available to
them.
When exploiting a memory corruption vulnerability, you can target the
application's memory (meaning, target a DOM object or an ArrayBuffer)
or you can target the memory allocator's metadata. While allocator
metadata corruption was popular in the past, I haven't seen it used
recently.
Okay all that out of the way, let's talk about allocators.
I skimmed https://github.com/GrapheneOS/hardened_malloc and it looks
like it has:
- out of line metadata
- double free protection
- guard regions of some type
- zero-filling
- MPK support
- randomization
- support for arenas
mozjemalloc:
- arenas (we call them partitions)
- randomization (support for, not enabled by default due to limited
utility, but improvements coming)
- double free protection
- zero-filling
In Progress:
- we're actively working on guard regions
Future Work:
- out of line metadata
- MPK
harden_malloc definitely has more bells and whistles than mozjemalloc.
But the benefit gained by slapping in an LD_PRELOAD and calling it a
day is small to zero. Probably negative because you'll not utilize
partitions by default. You'd need a particurally constrained
vulnerability to actually prevent exploitation - it's more likely
you'll just cost the attacker another 2-8 hours of work.
Out of line metadata is on-the-surface-attractive but... that tends to
only help when you have a off-by-one/four write and you corrupt
metadata state because it's the only thing you *can* do. With out of
line metadata, you can just corrupt a real object and effect a
different type of corruption. I'm pretty skeptical of the benefit at
this point, although I could be convinced. We don't see metadata
corruption attacks anymore - but I'm not sure if it's because we find
better exploit primitives or better vulnerabilities.
In particular, if you wanted to pursue hardened_malloc you would need
to use replace_malloc and wire up the partitions correctly.
Randomization will almost certainly not help (and will hurt
performance)*. MPK sounds nice but you have to use it correctly (which
requires application code changes), you have to ensure there are no
MPK gadgets, and oh wait no one can use it because it's only available
in Linux on server CPUs. =(
* One place randomization will help is on the other side of an IPC
boundary. e.g. in the parent process. I'm trying to get that enabled
for mozjemalloc in H2 2019.
In conclusion, while it's possible hardened_malloc could provide some
small security increase over mozjemalloc, the gap is much smaller than
it was when I advocated for allocator improvements 5 years ago, the
effort is definitely non-trivial, and the gap is closing.
If people had the cycles to invest in something like this, I would
actually advocate for helping us test and benchmark Fuzzyfox, and see
if we can get the browser into a usable state with Fuzzyfox so we
could enable it in Tor Browser.
-tom
More information about the Whonix-devel
mailing list
“Look here!” Dick began to chuckle. “We’ve got a queer combination to work with—our Sky Patrol has! Suspicious Sandy—and—Superstitious Jeff!” Sandy grinned ruefully, a little sheepishly. Larry smiled and shook his head, warning Dick not to carry his sarcasm any further, as Jeff frowned. 52 "You do doubt me. If you did not, it would never occur to you to deny it. You doubt me now, and you will doubt me still more if you don't read it. In justice to me you must." "That same. She was part Mescalero, anyway." This Act, as disgraceful as any which ever dishonoured the statute-book in the reigns of the Tudors or Stuarts, was introduced into the Commons, on the 12th of May, by Sir William Wyndham, and was resolutely opposed by the Whigs, amongst whom Sir Peter King, Sir Joseph Jekyll, Mr. Hampden, Robert Walpole, and General Stanhope distinguished themselves. They did not convince the majority, which amounted to no less than two hundred and thirty-seven to one hundred and twenty-six. In the Lords, Bolingbroke himself moved the second reading, and it was ably opposed by the Lords Cowper, Wharton, Halifax, Townshend, Nottingham, and others. The greatest curiosity was displayed regarding the part which Oxford would take, as it was known that in the Council he had endeavoured to soften the rigorous clauses; but in the House he followed his usual shuffling habit, declaring that he had not yet considered the question; and, having induced the Opposition to let the second reading pass without a division, he absented himself from the final voting, and thus disgusted both parties and hastened his own fall. The battle of Falkirk, which in itself appeared so brilliant an affair for Prince Charles, was really one of his most serious disasters. The Highlanders, according to their regular custom when loaded with plunder, went off in great numbers to their homes with their booty. His chief officers became furious against each other in discussing their respective merits in the battle. Lord George Murray, who had himself behaved most bravely in the field, complained that Lord John Drummond had not exerted himself, or pursuit might have been made and the royal army been utterly annihilated. This spirit of discontent was greatly aggravated by the siege of the castle of Stirling. Old General Blakeney, who commanded the garrison, declared he would hold out to the last man, in spite of the terrible threats of Lord George Murray if he did not surrender. The Highlanders grew disgusted with work so contrary to their habits; and, indeed, the French engineer, the so-called Marquis de Mirabelle, was so utterly ignorant of his profession, that the batteries which he constructed were commanded by the castle, and the men were so much exposed that they were in danger of being destroyed before they took the fortress. Accordingly, on the 24th of January they struck to a man, and refused to go any more into the trenches. "Haint we bit off more'n we kin chaw. Shorty?" asked Si, as he looked over the increasing gang. "Hadn't we better ask for some help?" "How far would it carry?" Corpril, Company Q, 2 Hundsrdth Injiamiy Volintear "He d?an't care much. F?ather, he likes to be comfortable, and this Inclosure w?an't make much difference to that. 'T?un't as if we wanted the pasture badly, and F?ather he d?an't care about land." "Byles," interrupted Calverley, speaking rapidly, "you are poor—you are in arrear with your rent; a distress will be levied, and then what will become of you—of your wife and the little one? Listen to me! I will give you money to keep a house over your head; and when I am steward, you shall have the first farm at my lord's disposal, if you will only aid me in my revenge! Revenge!" he repeated, vehemently—"but you hesitate—you refuse." "Yes, yes, there is little doubt of that: but how can we come at the truth? Sudbury still retains his wrath against us, and would oppose an arrest; and even could he be waylaid, and brought hither, he is stubborn, and might refuse to answer." HoME一级做人爱c视正版免费
ENTER NUMBET 0017 www.mubi8.net.cn liliu3.com.cn www.sakka.com.cn www.nihai3.net.cn www.kouna4.net.cn www.redao0.com.cn www.tiwei9.net.cn www.gansi1.net.cn www.598book.com.cn www.baozi4.com.cn