Open Bug 1052575 (heap-partitioning) Opened 5 years ago Updated 2 months ago

Tracking: store content-controlled buffers in a separate heap

Categories

(Core :: Security, defect)

defect
Not set

Tracking

()

People

(Reporter: benjamin, Unassigned)

References

(Depends on 4 open bugs, Blocks 1 open bug)

Details

(4 keywords)

This is a tracking bug for a project to store content-controlled buffers such as strings, ArrayBuffer, network buffers, and other similar data in a heap separate from the normal C++ heap.

Links and prior art:
https://labs.mwrinfosecurity.com/blog/2014/06/20/isolated-heap-friends---object-allocation-hardening-in-web-browsers/
https://codereview.chromium.org/26196002
https://chromium.googlesource.com/chromium/blink/+/master/Source/wtf/PartitionAlloc.h
Depends on: 1052576
Depends on: 1052579
Depends on: 1052582
Alias: heap-partitioning
Depends on: 1053362
Depends on: 1028345
As we move this forward I wanted to point to the current partitions that Chromium has: https://chromium.googlesource.com/chromium/blink/+/master/Source/wtf/Partitions.h#127

The first target would be what they call the buffer partition - all Javascript objects that are near-entirely user controlled (strings, arrays, and any similar or synonymous types) would be segmented into a separate partition. Once that is done and baked we can determine what would be good future targets for this work.
Depends on: 1410132
Depends on: 1446466
OS: Linux → All
Hardware: x86_64 → All
Depends on: 1474659
Depends on: 1377999
You need to log in before you can comment on or make changes to this bug.