From: Florian Weimer <fw@deneb.enyo.de>
To: Rich Felker <dalias@libc.org>
Cc: Carlos O'Donell <carlos@redhat.com>,
libc-alpha <libc-alpha@sourceware.org>
Subject: Re: RFC: malloc and secure memory.
Date: Sun, 27 Sep 2020 22:29:02 +0200 [thread overview]
Message-ID: <87wo0fklpt.fsf@mid.deneb.enyo.de> (raw)
In-Reply-To: <20200926170710.GR3265@brightrain.aerifal.cx> (Rich Felker's message of "Sat, 26 Sep 2020 13:07:11 -0400")
* Rich Felker:
> On Thu, Sep 24, 2020 at 04:56:59PM -0400, Carlos O'Donell via Libc-alpha wrote:
>> In reviewing this discussion:
>> https://github.com/systemd/systemd/pull/14213
>>
>> The request is for a way to mark some allocations as "secure"
>> and to give them special properties.
>>
>> I wonder if we can't do this in some generic way:
>>
>> - Make arenas a first class construct.
>>
>> /* Get arena with special properties. */
>> malloc_arena *secure_arena = NULL;
>> /* Get a handle to an arena that has secure heaps. If glibc can make this
>> kind of arena and heap then it does, otherwise it returns NULL. */
>> secure_arena = malloc_arena_get (HEAP_SECURE);
>> /* Does this glibc support his kind of arena? */
>> if (secure_arena == NULL)
>> abort();
>>
>> - Bind the malloc call site to a specific arena with specific properties.
>
> I don't see any plausible motivation for why a caller would want to do
> this rather than just calling mmap. It's far less portable, more
> error-prone (since it doesn't look like it would catch use of one type
> where you meant the other, as opposed to with direct mmap where
> passing it to free or vice versa would trap at some point), and more
> complex to program for.
Many systems only allow 64 KiB of non-swappable memory per process, so
calling mmap (followed by mlock) would be quite wasteful and restrict
the number of active allocations to 16 with a 4 KiB page size.
There are various competing ideas what “secure” should mean in this
context, so maybe it's supposed to be about something else, and the 64
KiB wouldn't apply. It would be tough to get multiple libraries to
coordinate the best use of this space even with a finer-grained
allocator—who wants to use non-secure memory for their data?
But I think the general idea to require that programers open-code
matching allocator and deallactor calls is not too onerous. If it is,
the next village down the road has std::allocator on offer.
prev parent reply other threads:[~2020-09-27 20:29 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-24 20:56 Carlos O'Donell
2020-09-25 6:39 ` Florian Weimer
2020-09-25 16:10 ` Carlos O'Donell
2020-09-25 23:39 ` Stefan O'Rear
2020-09-27 12:39 ` Carlos O'Donell
2020-09-26 17:07 ` Rich Felker
2020-09-27 14:04 ` Carlos O'Donell
2020-09-27 20:29 ` Florian Weimer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wo0fklpt.fsf@mid.deneb.enyo.de \
--to=fw@deneb.enyo.de \
--cc=carlos@redhat.com \
--cc=dalias@libc.org \
--cc=libc-alpha@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).