[HN Gopher] Towards the next generation of XNU memory safety: ka... ___________________________________________________________________ Towards the next generation of XNU memory safety: kalloc_type Author : olliej Score : 99 points Date : 2022-10-27 18:57 UTC (4 hours ago) (HTM) web link (security.apple.com) (TXT) w3m dump (security.apple.com) | MBCook wrote: | Very interesting. Unfortunately I don't see a way to follow new | entries. There's no RSS feed. | sneak wrote: | olliej wrote: | I actually expected this to have already been posted and | couldn't find it - so the submission went through. | | Anyway I haven't ever gone out of my way to hide my employers, | and I'm a tech worker in the Bay Area so I've worked a multiple | companies including Google and Apple. | | That said if you'd rather I delete this and wait for someone | else to post it I can do that? | | Obviously anything I say is my personal view and not reflective | of my employers, past or present, and I'm only ever going to | submit things that /I/ think would be of interest to HN. | | [edited to make sentence that conform to silly societal rules | like "must follow basic rules of English grammar", "must not | have absurd amounts of ambiguity"] | pvg wrote: | _rather I delete this and wait for someone else to post it_ | | You don't have to change the way you post just because | someone is on some innuendo-laden crapcomment bender. | olliej wrote: | I get the innuendo, but it's a reasonable thing to think | about. The problem of course is that plenty of small | companies, startups, and I guess blogs exist where someone | might be proud of their work and want to share it on HN | which I don't think should be outright banned. | | But then you also have the periodic content less and | clearly marketing content that ends up on HN front page, | which I always find deeply suspicious, so..? | pvg wrote: | It's reasonable and if you think something is wrong you | mail hn@ycombinator.com. But there's no hunting woozles | on the forum itself otherwise it would be an infinite | woozle hunt, as you know. | olliej wrote: | Ah, I didn't realise that was considered a reasonable | option - I mostly rely on downvote or (rarely)flagging | glhaynes wrote: | Genuine question: why do you ask? | olliej wrote: | I pondered that myself and then realized we'd intersected on | some security of iMessage stuff the other day, so it's | reasonable for them to ask "is this a marketing shill?". | Which to be clear I'm not, I think this stuff is interesting, | just as I think the Google security posts are. | | (I just googled and it does look like it's not as obvious | anymore, apparently DJ Olliej is much more popular :D) | glhaynes wrote: | It just would seem like a more interesting question if this | post was a link promoting your private thoughts rather than | a generic link to the public blog of one of the largest | companies on earth. But maybe the question wasn't really | related to the post in particular. | olliej wrote: | Like I said we were talking about iMessage security in | comments yesterday (or maybe this morning?) so presumably | if the next time they saw my nick was in an Apple blog | submission they became suspicious that I was a shill. | Given that specific context I don't think it's wholly | unreasonable to question things. The phrasin of the | question is obviously unpleasant to me as it does come | off as accusatory (due to the conspiratorial implication | you get from the "no weaseling" text). But again if | someone was a shill you probably would want a question | like that. But I'd expect a shill to just not acknowledge | the question - it is afaict being fairly heavily | downvoted which I don't think is reasonable either | (because everyone loves fake internet points :) ) as that | would benefit a shill/marketing person. | | Anyway to be super clear again: anything I say is my | personal thoughts and opinions and in no way reflects | what any of my employers, past or present may be thinking | or doing. | | I guess I could put that in my HN bio? I hadn't | previously because I do try to separate my identity from | my job, as when I first started out in tech I did not do | that, and it was unhealthy. | crecker wrote: | ? Anyone can submit a story to HN. | vlovich123 wrote: | I'm a bit curious how this confers a security advantage. Isn't | the kernel clearing free pages before handing them out? Or does | it not bother when it's a kernel allocation? | | If the latter, wouldn't that be an obvious risk mitigation | without even needing to segment by type (ie only hand out zeroed | pages for allocations)? | | If they're being zeroed out, then I'm not sure I understand how | grouping by type improves UAF security since the attacker | couldn't control the contents. | | I'm sure I'm just ignorant here since there's so much research | into this type of hardening. Genuinely curious. | helloooooooo wrote: | It's not pages. It's individual allocations. When free-ing and | allocation, it returns it back to the free list to be popped | off the next time an allocation of appropriate size comes | along. Some implementations have a stochastic element to | randomize the freelist entry returned to alloc. A type | segregated heap mitigates many classes of type confusion | exploitation by preventing confusing objects in use-after-free | scenarios. It's also incredibly expensive to zero out free-ed | allocations each time. | saagarjha wrote: | It's not too bad, the kernel has been doing this for a couple | years already. | malf wrote: | Search the article for 'iovec', they explain exactly that. | saagarjha wrote: | I haven't read the whole thing yet but just zeroing allocations | (see comment below on allocations versus pages) is not a full | fix, because a UAF can come through a dangling pointer. What | you need to mitigate against this is preventing allocations | from being reused. This is infeasible to do perfectly because | it just means you leak everything but in isolated cases you can | do things like prevent different types from being given the | same allocation (and thus allowing for shenanigans when code | does a type confusion) or do other kinds of segregation and | randomization to make it difficult to predict when it will be | coming back. ___________________________________________________________________ (page generated 2022-10-27 23:00 UTC)