[ANN] malloc'd ByteArrays

Todd Fleming todd at flemingcnc.com
Tue Dec 13 09:10:16 PST 2005 

Brian Rice wrote:

> ExternalLibrary doesn't give you direct access to manually-allocated  
> memory, however, so the fact that a pointer is returned is  
> immaterial. I guess what I'm saying is that I object to the  
> possibility of derefencing arbitrary parts of a malloc()'d area or  
> areas outside what's been allocated.
>
> So, this does not remove the limit on malloc()'d areas in my mind,  
> since part of the point of these handles is to make sure that the  
> Image doesn't cause an invalid memory access, or worse, overwrite  
> other places in the valid heap area, and crash the whole system. I  
> don't see how your proposal lets me remove those arrays without  
> security repercussions.
>

Yes, I see now.  This is critical.

> Remember that I'm not just thinking of your code, but of your code's  
> security against other code. What protects the system from side  
> effects that alter a direct-pointer handle and accessing arbitrary  
> memory? A malloc plugin is NOT a trivial security issue. The entire  
> thing is written to avoid buffer overflows. Do you have suggestions  
> to keep the VM safe from image-side code and yet allow unlimited  
> malloc() usage?
>
I have an idea, but it depends on one thing: is there a way to limit 
slot, method, and primative access so that only approved methods can 
read, write, or call them?  I guess this is what Subjective Dispatch 
will help with.

If so, we could limit the primitives that malloc, free, read, and write 
memory so that they only may be called by the wrapper methods.  The 
wrapper methods would provide a public way to get the pointer value (for 
plugins), but wouldn't provide a way to set the pointer value.  The 
wrapper methods would check bounds before calling the primitives.

There is a similar hole in the Cairo wrapper that needs plugging; I 
don't know how to prevent the user from modifying the wrapper's pointer 
values.  This could cause Cairo to clobber arbitrary memory.

> You'll notice that I had also added bytesPerWord and Platform  
> endianness primitives to the platform plugin, entirely with this in  
> mind. Give me some credit. ;)

Oooh, nice!

Todd

More information about the Slate mailing list