Exploring GrapheneOS secure allocator: Hardened Malloc

https://www.synacktiv.com/en/publications/exploring-grapheneos-secure-allocator-hardened-malloc

106•r4um•4mo ago

Comments

mrtesthah•4mo ago

Relatedly, check out Apple’s own kalloc_type allocator that they use with MTE as well as newer silicon-level changes for extremely broad memory integrity enforcement:

https://security.apple.com/blog/memory-integrity-enforcement...

pjmlp•4mo ago

Or Solaris SPARC ADI memory allocator,

https://docs.oracle.com/cd/E88353_01/html/E37843/malloc-3c.h...

pizlonator•4mo ago

Yeah that work is way more impressive.

I like how they demonstrated exactly how it impacts known exploits for example

pizlonator•4mo ago

The problem with these kinds of hardened allocators is that:

- They impact performance.

- They don’t prevent the attacker from pivoting a memory safety bug to remote execution.

- They get oversold (like calling it “secure”).

That’s not to say there aren’t allocator mitigations that help. It’s just that this isn’t it. Quarantining for example just means the attacker has to do a bit more acrobatics, but it won’t stop them.

I think what Apple is doing with typed allocations is much more principled and they have data to prove it in their blog posts

drnick1•4mo ago

Yes, but it also means you need an Apple device, and hence a locked down system. You also need to take all of Apple's privacy claims at face value. No thanks.

manbash•4mo ago

> They don’t prevent the attacker from pivoting a memory safety bug to remote execution.

I'm confused. Isn't this potentially preventing some classes of memory-safety bugs?

pizlonator•4mo ago

No, it’s not

OneDeuxTriSeiGo•4mo ago

> I think what Apple is doing with typed allocations is much more principled and they have data to prove it in their blog posts

This is one of the things that hardened malloc is doing (and is part of the post). Newer pixels are shipping with MTE support and graphene's malloc leverages MTE as much as possible.

skavi•4mo ago

They’re referring to kalloc_type [0] [1].

[0]: https://security.apple.com/blog/towards-the-next-generation-...

[1]: https://security.apple.com/blog/what-if-we-had-sockpuppet-in...

codedokode•4mo ago

There might be processes that have high privileges, but don't need high performance, for example: sudo utility, new USB device detection daemon, bluetooth communication daemon.

Also idea described in Apple's article (never reuse allocated addresses for other types) cannot be easily implemented for any allocator. Consider a memory pipe (circular buffer), where one process pushes messages and another reads them. How do you implement Apple-style memory safety here? One of the ideas is of course to map the buffer multiple times, so that every allocation returns a new virtual address, but how many syscalls you will need for that and how badly that would impact performance.

I replaced the front page with AI slop and honestly it's an improvement

Economists vs. Technologists on AI

Life at the Edge

RISC-V Vector Primer

Show HN: Invoxo – Invoicing with automatic EU VAT for cross-border services

A Tale of Two Standards, POSIX and Win32 (2005)

Ask HN: Is the Downfall of SaaS Started?

Flirt: The Native Backend

OpenAI's Latest Platform Targets Enterprise Customers

Goldman Sachs taps Anthropic's Claude to automate accounting, compliance roles

Ai.com bought by Crypto.com founder for $70M in biggest-ever website name deal

Big Tech's AI Push Is Costing More Than the Moon Landing

The AI boom is causing shortages everywhere else

Suno, AI Music, and the Bad Future [video]

Ask HN: How are researchers using AlphaFold in 2026?

Running the "Reflections on Trusting Trust" Compiler

Watermark API – $0.01/image, 10x cheaper than Cloudinary

Now send your marketing campaigns directly from ChatGPT

Queueing Theory v2: DORA metrics, queue-of-queues, chi-alpha-beta-sigma notation

Show HN: Hibana – choreography-first protocol safety for Rust

Haniri: A live autonomous world where AI agents survive or collapse

GPT-5.3-Codex System Card [pdf]

Atlas: Manage your database schema as code

Geist Pixel

Show HN: MCP to get latest dependency package and tool versions

The better you get at something, the harder it becomes to do

Show HN: WP Float – Archive WordPress blogs to free static hosting

Show HN: I Hacked My Family's Meal Planning with an App

Sony BMG copy protection rootkit scandal

The Future of Systems

I replaced the front page with AI slop and honestly it's an improvement

Economists vs. Technologists on AI

Life at the Edge

RISC-V Vector Primer

Show HN: Invoxo – Invoicing with automatic EU VAT for cross-border services

A Tale of Two Standards, POSIX and Win32 (2005)

Ask HN: Is the Downfall of SaaS Started?

Flirt: The Native Backend

OpenAI's Latest Platform Targets Enterprise Customers

Goldman Sachs taps Anthropic's Claude to automate accounting, compliance roles

Ai.com bought by Crypto.com founder for $70M in biggest-ever website name deal

Big Tech's AI Push Is Costing More Than the Moon Landing

The AI boom is causing shortages everywhere else

Suno, AI Music, and the Bad Future [video]

Ask HN: How are researchers using AlphaFold in 2026?

Running the "Reflections on Trusting Trust" Compiler

Watermark API – $0.01/image, 10x cheaper than Cloudinary

Now send your marketing campaigns directly from ChatGPT

Queueing Theory v2: DORA metrics, queue-of-queues, chi-alpha-beta-sigma notation

Show HN: Hibana – choreography-first protocol safety for Rust

Haniri: A live autonomous world where AI agents survive or collapse

GPT-5.3-Codex System Card [pdf]

Atlas: Manage your database schema as code

Geist Pixel

Show HN: MCP to get latest dependency package and tool versions

The better you get at something, the harder it becomes to do

Show HN: WP Float – Archive WordPress blogs to free static hosting

Show HN: I Hacked My Family's Meal Planning with an App

Sony BMG copy protection rootkit scandal

The Future of Systems

Exploring GrapheneOS secure allocator: Hardened Malloc

Comments