migrate bool configuration options out of config.h
parent
4ac2688d76
commit
1da51ddde1
26
Makefile
26
Makefile
|
@ -2,6 +2,10 @@ CONFIG_NATIVE := true
|
||||||
CONFIG_CXX_ALLOCATOR := true
|
CONFIG_CXX_ALLOCATOR := true
|
||||||
CONFIG_UBSAN := false
|
CONFIG_UBSAN := false
|
||||||
CONFIG_SEAL_METADATA := false
|
CONFIG_SEAL_METADATA := false
|
||||||
|
CONFIG_WRITE_AFTER_FREE_CHECK := true
|
||||||
|
CONFIG_SLOT_RANDOMIZE := true
|
||||||
|
CONFIG_ZERO_ON_FREE := true
|
||||||
|
CONFIG_SLAB_CANARY := true
|
||||||
|
|
||||||
define safe_flag
|
define safe_flag
|
||||||
$(shell $(CC) -E $1 - </dev/null >/dev/null 2>&1 && echo $1)
|
$(shell $(CC) -E $1 - </dev/null >/dev/null 2>&1 && echo $1)
|
||||||
|
@ -37,6 +41,28 @@ ifeq ($(CONFIG_SEAL_METADATA),true)
|
||||||
CPPFLAGS += -DCONFIG_SEAL_METADATA
|
CPPFLAGS += -DCONFIG_SEAL_METADATA
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
ifeq (,$(filter $(CONFIG_ZERO_ON_FREE),true false))
|
||||||
|
$(error CONFIG_ZERO_ON_FREE must be true or false)
|
||||||
|
endif
|
||||||
|
|
||||||
|
ifeq (,$(filter $(CONFIG_WRITE_AFTER_FREE_CHECK),true false))
|
||||||
|
$(error CONFIG_WRITE_AFTER_FREE_CHECK must be true or false)
|
||||||
|
endif
|
||||||
|
|
||||||
|
ifeq (,$(filter $(CONFIG_SLOT_RANDOMIZE),true false))
|
||||||
|
$(error CONFIG_SLOT_RANDOMIZE must be true or false)
|
||||||
|
endif
|
||||||
|
|
||||||
|
ifeq (,$(filter $(CONFIG_SLAB_CANARY),true false))
|
||||||
|
$(error CONFIG_SLAB_CANARY must be true or false)
|
||||||
|
endif
|
||||||
|
|
||||||
|
CPPFLAGS += \
|
||||||
|
-DZERO_ON_FREE=$(CONFIG_ZERO_ON_FREE) \
|
||||||
|
-DWRITE_AFTER_FREE_CHECK=$(CONFIG_WRITE_AFTER_FREE_CHECK) \
|
||||||
|
-DSLOT_RANDOMIZE=$(CONFIG_SLOT_RANDOMIZE) \
|
||||||
|
-DSLAB_CANARY=$(CONFIG_SLAB_CANARY)
|
||||||
|
|
||||||
hardened_malloc.so: $(OBJECTS)
|
hardened_malloc.so: $(OBJECTS)
|
||||||
$(CC) $(CFLAGS) $(LDFLAGS) -shared $^ $(LDLIBS) -o $@
|
$(CC) $(CFLAGS) $(LDFLAGS) -shared $^ $(LDLIBS) -o $@
|
||||||
|
|
||||||
|
|
38
README.md
38
README.md
|
@ -58,7 +58,9 @@ make command as follows:
|
||||||
|
|
||||||
make CONFIG_EXAMPLE=false
|
make CONFIG_EXAMPLE=false
|
||||||
|
|
||||||
The available configuration options are the following:
|
Configuration options are provided when there are significant compromises
|
||||||
|
between portability, performance, memory usage or security. The following
|
||||||
|
options are available:
|
||||||
|
|
||||||
* `CONFIG_NATIVE`: `true` (default) or `false` to control whether the code is
|
* `CONFIG_NATIVE`: `true` (default) or `false` to control whether the code is
|
||||||
optimized for the detected CPU on the host. If this is disabled, setting up a
|
optimized for the detected CPU on the host. If this is disabled, setting up a
|
||||||
|
@ -68,6 +70,29 @@ The available configuration options are the following:
|
||||||
C++ allocator is replaced for slightly improved performance and detection of
|
C++ allocator is replaced for slightly improved performance and detection of
|
||||||
mismatched sizes for sized deallocation (often type confusion bugs). This
|
mismatched sizes for sized deallocation (often type confusion bugs). This
|
||||||
will result in linking against the C++ standard library.
|
will result in linking against the C++ standard library.
|
||||||
|
* `CONFIG_ZERO_ON_FREE`: `true` (default) or `false` to control whether small
|
||||||
|
allocations are zeroed on free, to mitigate use-after-free and uninitialized
|
||||||
|
use vulnerabilities along with purging lots of potentially sensitive data
|
||||||
|
from the process as soon as possible. This has a performance cost scaling to
|
||||||
|
the size of the allocation, which is usually acceptable.
|
||||||
|
* `CONFIG_WRITE_AFTER_FREE_CHECK`: `true` (default) or `false` to control
|
||||||
|
sanity checking that new allocations contain zeroed memory. This can detect
|
||||||
|
writes caused by a write-after-free vulnerability and mixes well with the
|
||||||
|
features for making memory reuse randomized / delayed. This has a performance
|
||||||
|
cost scaling to the size of the allocation, which is usually acceptable.
|
||||||
|
* `CONFIG_SLOT_RANDOMIZE`: `true` (default) or `false` to randomize selection
|
||||||
|
of free slots within slabs. This has a measurable performance cost and isn't
|
||||||
|
one of the important security features, but the cost has been deemed more
|
||||||
|
than acceptable to be enabled by default.
|
||||||
|
* `CONFIG_SLAB_CANARY`: `true` (default) or `false` to enable support for
|
||||||
|
adding 8 byte canaries to the end of memory allocations. The primary purpose
|
||||||
|
of the canaries is to render small fixed size buffer overflows harmless by
|
||||||
|
absorbing them. The first byte of the canary is always zero, containing
|
||||||
|
overflows caused by a missing C string NUL terminator. The other 7 bytes are
|
||||||
|
a per-slab random value. On free, integrity of the canary is checked to
|
||||||
|
detect attacks like linear overflows or other forms of heap corruption caused
|
||||||
|
by imprecise exploit primitives. However, checking on free will often be too
|
||||||
|
late to prevent exploitation so it's not the main purpose of the canaries.
|
||||||
* `CONFIG_SEAL_METADATA`: `true` or `false` (default) to control whether Memory
|
* `CONFIG_SEAL_METADATA`: `true` or `false` (default) to control whether Memory
|
||||||
Protection Keys are used to disable access to all writable allocator state
|
Protection Keys are used to disable access to all writable allocator state
|
||||||
outside of the memory allocator code. It's currently disabled by default due
|
outside of the memory allocator code. It's currently disabled by default due
|
||||||
|
@ -77,16 +102,11 @@ The available configuration options are the following:
|
||||||
contained within an isolated memory region with high entropy random guard
|
contained within an isolated memory region with high entropy random guard
|
||||||
regions around it.
|
regions around it.
|
||||||
|
|
||||||
Additional compile-time configuration is available in the `config.h` file for
|
More advanced compile-time configuration is available in the `config.h` file
|
||||||
controlling the balance between security and performance / memory usage. By
|
and will be migrated to the main configuration when proper sanity checks and
|
||||||
default, all the optional security features are enabled. Options are only
|
documentation are written. The following advanced options are available:
|
||||||
provided for the features with a significant performance or memory usage cost.
|
|
||||||
|
|
||||||
```
|
```
|
||||||
#define WRITE_AFTER_FREE_CHECK true
|
|
||||||
#define SLOT_RANDOMIZE true
|
|
||||||
#define ZERO_ON_FREE true
|
|
||||||
#define SLAB_CANARY true
|
|
||||||
#define GUARD_SLABS_INTERVAL 1
|
#define GUARD_SLABS_INTERVAL 1
|
||||||
#define GUARD_SIZE_DIVISOR 2
|
#define GUARD_SIZE_DIVISOR 2
|
||||||
#define REGION_QUARANTINE_RANDOM_SIZE 128
|
#define REGION_QUARANTINE_RANDOM_SIZE 128
|
||||||
|
|
4
config.h
4
config.h
|
@ -3,10 +3,6 @@
|
||||||
|
|
||||||
#include <stdbool.h>
|
#include <stdbool.h>
|
||||||
|
|
||||||
#define WRITE_AFTER_FREE_CHECK true
|
|
||||||
#define SLOT_RANDOMIZE true
|
|
||||||
#define ZERO_ON_FREE true
|
|
||||||
#define SLAB_CANARY true
|
|
||||||
#define GUARD_SLABS_INTERVAL 1
|
#define GUARD_SLABS_INTERVAL 1
|
||||||
#define GUARD_SIZE_DIVISOR 2
|
#define GUARD_SIZE_DIVISOR 2
|
||||||
#define REGION_QUARANTINE_RANDOM_SIZE 128
|
#define REGION_QUARANTINE_RANDOM_SIZE 128
|
||||||
|
|
Loading…
Reference in New Issue