[HN Gopher] Towards the next generation of XNU memory safety: ka...
___________________________________________________________________
Towards the next generation of XNU memory safety: kalloc_type
Author : olliej
Score : 99 points
Date : 2022-10-27 18:57 UTC (4 hours ago)
(HTM) web link (security.apple.com)
(TXT) w3m dump (security.apple.com)
| MBCook wrote:
| Very interesting. Unfortunately I don't see a way to follow new
| entries. There's no RSS feed.
| sneak wrote:
| olliej wrote:
| I actually expected this to have already been posted and
| couldn't find it - so the submission went through.
|
| Anyway I haven't ever gone out of my way to hide my employers,
| and I'm a tech worker in the Bay Area so I've worked a multiple
| companies including Google and Apple.
|
| That said if you'd rather I delete this and wait for someone
| else to post it I can do that?
|
| Obviously anything I say is my personal view and not reflective
| of my employers, past or present, and I'm only ever going to
| submit things that /I/ think would be of interest to HN.
|
| [edited to make sentence that conform to silly societal rules
| like "must follow basic rules of English grammar", "must not
| have absurd amounts of ambiguity"]
| pvg wrote:
| _rather I delete this and wait for someone else to post it_
|
| You don't have to change the way you post just because
| someone is on some innuendo-laden crapcomment bender.
| olliej wrote:
| I get the innuendo, but it's a reasonable thing to think
| about. The problem of course is that plenty of small
| companies, startups, and I guess blogs exist where someone
| might be proud of their work and want to share it on HN
| which I don't think should be outright banned.
|
| But then you also have the periodic content less and
| clearly marketing content that ends up on HN front page,
| which I always find deeply suspicious, so..?
| pvg wrote:
| It's reasonable and if you think something is wrong you
| mail hn@ycombinator.com. But there's no hunting woozles
| on the forum itself otherwise it would be an infinite
| woozle hunt, as you know.
| olliej wrote:
| Ah, I didn't realise that was considered a reasonable
| option - I mostly rely on downvote or (rarely)flagging
| glhaynes wrote:
| Genuine question: why do you ask?
| olliej wrote:
| I pondered that myself and then realized we'd intersected on
| some security of iMessage stuff the other day, so it's
| reasonable for them to ask "is this a marketing shill?".
| Which to be clear I'm not, I think this stuff is interesting,
| just as I think the Google security posts are.
|
| (I just googled and it does look like it's not as obvious
| anymore, apparently DJ Olliej is much more popular :D)
| glhaynes wrote:
| It just would seem like a more interesting question if this
| post was a link promoting your private thoughts rather than
| a generic link to the public blog of one of the largest
| companies on earth. But maybe the question wasn't really
| related to the post in particular.
| olliej wrote:
| Like I said we were talking about iMessage security in
| comments yesterday (or maybe this morning?) so presumably
| if the next time they saw my nick was in an Apple blog
| submission they became suspicious that I was a shill.
| Given that specific context I don't think it's wholly
| unreasonable to question things. The phrasin of the
| question is obviously unpleasant to me as it does come
| off as accusatory (due to the conspiratorial implication
| you get from the "no weaseling" text). But again if
| someone was a shill you probably would want a question
| like that. But I'd expect a shill to just not acknowledge
| the question - it is afaict being fairly heavily
| downvoted which I don't think is reasonable either
| (because everyone loves fake internet points :) ) as that
| would benefit a shill/marketing person.
|
| Anyway to be super clear again: anything I say is my
| personal thoughts and opinions and in no way reflects
| what any of my employers, past or present may be thinking
| or doing.
|
| I guess I could put that in my HN bio? I hadn't
| previously because I do try to separate my identity from
| my job, as when I first started out in tech I did not do
| that, and it was unhealthy.
| crecker wrote:
| ? Anyone can submit a story to HN.
| vlovich123 wrote:
| I'm a bit curious how this confers a security advantage. Isn't
| the kernel clearing free pages before handing them out? Or does
| it not bother when it's a kernel allocation?
|
| If the latter, wouldn't that be an obvious risk mitigation
| without even needing to segment by type (ie only hand out zeroed
| pages for allocations)?
|
| If they're being zeroed out, then I'm not sure I understand how
| grouping by type improves UAF security since the attacker
| couldn't control the contents.
|
| I'm sure I'm just ignorant here since there's so much research
| into this type of hardening. Genuinely curious.
| helloooooooo wrote:
| It's not pages. It's individual allocations. When free-ing and
| allocation, it returns it back to the free list to be popped
| off the next time an allocation of appropriate size comes
| along. Some implementations have a stochastic element to
| randomize the freelist entry returned to alloc. A type
| segregated heap mitigates many classes of type confusion
| exploitation by preventing confusing objects in use-after-free
| scenarios. It's also incredibly expensive to zero out free-ed
| allocations each time.
| saagarjha wrote:
| It's not too bad, the kernel has been doing this for a couple
| years already.
| malf wrote:
| Search the article for 'iovec', they explain exactly that.
| saagarjha wrote:
| I haven't read the whole thing yet but just zeroing allocations
| (see comment below on allocations versus pages) is not a full
| fix, because a UAF can come through a dangling pointer. What
| you need to mitigate against this is preventing allocations
| from being reused. This is infeasible to do perfectly because
| it just means you leak everything but in isolated cases you can
| do things like prevent different types from being given the
| same allocation (and thus allowing for shenanigans when code
| does a type confusion) or do other kinds of segregation and
| randomization to make it difficult to predict when it will be
| coming back.
___________________________________________________________________
(page generated 2022-10-27 23:00 UTC)