NAME

MRS — Malloc Revocation Shim

LIBRARY

Standard C Library (libc, -lc)

SYNOPSIS

#include <stdlib.h>

void *
malloc(size_t size);

void *
calloc(size_t number, size_t size);

int
posix_memalign(void **ptr, size_t alignment, size_t size);

void *
aligned_alloc(size_t alignment, size_t size);

void *
realloc(void *ptr, size_t size);

void
free(void *ptr);

DESCRIPTION

The Malloc Revocation Shim (MRS) extends a CHERI-aware malloc implemention with revocation support, providing heap temporal safety. MRS wraps the underlying allocator and manages quarantine queues which are revoked by cheri_revoke(2).

MRS implements all standard malloc interfaces. For detailed documentation of those interfaces see jemalloc(3). It also provides partial implementations of the non-standard jemalloc(3) interfaces mallocx(), rallocx(), dallocx(), and sdallocx(). These differ from the underlying implementations in that the MALLOCX_TCACHE and MALLOCX_ARENA flags are ignored if revocation is enabled. The undocumented jemalloc(3) 3.0 interfaces are not implemented by MRS because no CheriABI program should have ever used them.

ENABLING REVOCATION

Because heap temporal safety is an experimental feature with performance impacts that are not fully characterized, MRS provides a number of policy mechanisms to control MRS revocation. When a program using MRS starts up, an array of parameters are evaluated to determine if free'd objects should be quarantined and revoked or if the underlying implementations should be exposed directly. If the ELF_BSDF_CHERI_REVOKE flag of the AT_BSDFLAGS ELF auxiliary argument variable is set then the program will revoke.

The kernel considers the following factors in order of decreasing precedence when setting AT_BSDFLAGS flags:

• The presence of P2_CHERI_REVOKE_ENABLE or P2_CHERI_REVOKE_DISABLE in the process flags as controlled by the procctl(2) PROC_CHERI_REVOKE_CTL command which is administratively set by proccontrol(1). If either is set then ELF_BSDF_CHERI_REVOKE is set if P2_CHERI_REVOKE_DISABLE is not present and further factors are not considered.
• The presence of NT_FREEBSD_FCTL_CHERI_REVOKE_DISABLE or NT_FREEBSD_FCTL_CHERI_REVOKE_ENABLE in the FreeBSD feature control ELF note as set by elfctl(1). If either is set then ELF_BSDF_CHERI_REVOKE is set if NT_FREEBSD_FCTL_CHERI_REVOKE_DISABLE is not present and further factors are not considered.
• The value of the security.cheri.runtime_revocation_default sysctl value. If this is non-zero then ELF_BSDF_CHERI_REVOKE is set.

A program can determine at runtime if MRS or similar revocation is enabled by checking the return value of malloc_revoke_enabled().

TRACING

MRS supports utrace(2) event logging which can be enabled by setting the _MRS_UTRACE environmental variable, collected by ktrace(1) and viewed by kdump(1). This produces output like:

IMPLEMENTATION NOTES

MRS requires that allocators be extended to provide a void * malloc_underlying_allocation(void *) interface which takes a capability passed to free() or realloc() and returns a capability to the underlying allocator bearing the permission. This capability will not be revoked and thus can be stored in the quarantine structure. This interface must not be exported outside the implementation.

EXAMPLES

To alter a binary to disable use of revocation, use:

To override the system default and binary settings run the program as follows:

SEE ALSO

elfctl(1), kdump(1), ktrace(1), proccontrol(1), jemalloc(3), malloc_revoke_enabled(3), malloc_revoke_quarantine_force_flush(3), sysctl(8)

BUGS

MRS currently has a single quarantine queue protected by a mutex. For multi-threaded applications where concurent malloc(3) performance is important, this will be a significant bottleneck.

AUTHORS

This software and this manual page were developed by SRI International, the University of Cambridge Computer Laboratory (Department of Computer Science and Technology), and Capabilities Limited under contract (HR001123C0031) (“MTSS”).