Hardened malloc() for FreeBSD

vulpine · Nov 5, 2022

Is there a security oriented memory allocator for FreeBSD like GrapheneOS/Linux's Hardened_malloc library https://github.com/GrapheneOS/hardened_malloc or OpenBSD's Otto-malloc https://man.openbsd.org/malloc.3 where you can enable additional checks? I'd like to do additional hardening on some of my servers where I'm concerned about memory based zero-days based on things using historically difficult to implement perfectly libraries like libexpat.

vulpine · May 15, 2024

Still have not found a solution to this

Partmedia · May 15, 2024

See the jemalloc() manual page. Some hardening checks are available when jemalloc is built with --enable-debug, however this is disabled by default in production. You could recompile a development version of FreeBSD, but if your concern is your own application code, you should consider Clang's -fsanitize=address or something like Valgrind.

cracauer@ · May 15, 2024

Have you tried using those other mallocs on FreeBSD? Generally, a malloc implementation runs portably. Whether the hardening part needs any kernel features is to be tried out.

vulpine · May 17, 2024

Partmedia said:
See the jemalloc() manual page. Some hardening checks are available when jemalloc is built with --enable-debug, however this is disabled by default in production. You could recompile a development version of FreeBSD, but if your concern is your own application code, you should consider Clang's -fsanitize=address or something like Valgrind.

Is there a way to only enable security those additional hardening options for some precompiled software from pkg? I don't think I need it everywhere just a few worrysome areas like libexpat and some networked daemons.

vulpine · May 17, 2024

cracauer@ said:
Have you tried using those other mallocs on FreeBSD? Generally, a malloc implementation runs portably. Whether the hardening part needs any kernel features is to be tried out.

I did look into it but HardenedMalloc used Linux specific features. I suppose taking OpenBSD's malloc and trying to port that could work. I don't think I have the C skills yet to do that though I could take a crack at it. Has anyone ported OttoMalloc to FreeBSD before?

Partmedia · May 17, 2024

vulpine said:
Is there a way to only enable security those additional hardening options for some precompiled software from pkg? I don't think I need it everywhere just a few worrysome areas like libexpat and some networked daemons.

No, you need to recompile the system and all the ports to use the hardened malloc from jemalloc.

As others have said, you can recompile individual ports with a different malloc implementation. But if you're recompiling anyway, I'd recommend that you try clang's address sanitizer and tools like valgrind. If you're worried about libexpat and networked daemons, you might go a different route and try to sandbox them using Capsicum, but that will take significant development work.

cracauer@ · May 17, 2024

In general you can change malloc() choices on precompiled binaries via $LD_PRELOAD.

Of course you first need to compile your malloc of choice.