(Key bits marked with a *, rest optional)
The Malloc Des-Maleficarum (blackngel) :: A practical guide to the Malloc Maleficarum…
Explain what is meant by an arena, a heap, and a chunk and how they relate? (5 marks)
To defend against use after free attacks, Alice has the following macro defined:
#define FREE(x) { free(x); x = NULL; }
Is that going to be sufficient to stop the vulnerability and why? What tradeoffs are being made? What about compiler optimizations? (5 marks)
…okay maybe that last one would be rather mean for an exam; speculate away and we can discuss in the next lab if anyone is keen!
(also… Microsoft have recently anounced that they’ll including support for CHERI primitives in the latest version of Windows; sometimes research really does become real world technology!)
An arena will contain at least one heap (1) A heap will be divided up into chunks as memory is allocated and freed (1)
Whilst that will stop (or at least force writes to null) if x is reused in the same function call (1) as soon as x is aliased (ie. passed in a function call or copied) it wont with the aliased call. (1)
Checking that you’re not reusing a pointer after you free it is useful in a function and will likely cause an explicit crash now, but this shouldn’t give you false confidence that the bug isnt actually present. In the best case if x really isnt ever used again in that function call the compiler will remove the write to x anyway as a dead write making the whole exercise redundant (1).
This definitely falls into only if youre interested territory, but CHERI is really interesting.