1052575 - (heap-partitioning) [meta] store content-controlled buffers in a separate heap

Status: NEW

(Core :: Security, defect)

Description

[Benjamin Smedberg]

This is a tracking bug for a project to store content-controlled buffers such as strings, ArrayBuffer, network buffers, and other similar data in a heap separate from the normal C++ heap.

Links and prior art:
https://labs.mwrinfosecurity.com/blog/2014/06/20/isolated-heap-friends---object-allocation-hardening-in-web-browsers/
https://codereview.chromium.org/26196002
https://chromium.googlesource.com/chromium/blink/+/master/Source/wtf/PartitionAlloc.h

Comment 1

[Tom Ritter [:tjr] (OOTO until April)]

As we move this forward I wanted to point to the current partitions that Chromium has: https://chromium.googlesource.com/chromium/blink/+/master/Source/wtf/Partitions.h#127

The first target would be what they call the buffer partition - all Javascript objects that are near-entirely user controlled (strings, arrays, and any similar or synonymous types) would be segmented into a separate partition. Once that is done and baked we can determine what would be good future targets for this work.

Comment 2

[Tom Ritter [:tjr] (OOTO until April)]

Safari has (just) implemented Isolated Heaps for their DOM. Interestingly, they seem to have a separate Isolated Heap for every individual DOM type (which is very strong protection!) 

https://github.com/WebKit/webkit/commit/197cd32c3b5527e8c2bbe3fcb7d78cc993dd8904
https://bugs.webkit.org/show_bug.cgi?id=183546#c43
https://github.com/WebKit/webkit/blob/2e53890f18d9a44fa41607791efca2939aa3c7f7/Source/WTF/wtf/IsoMalloc.h
https://github.com/WebKit/webkit/blob/master/Source/bmalloc/bmalloc/IsoHeap.h
https://github.com/WebKit/webkit/blob/master/Source/bmalloc/bmalloc/IsoHeapInlines.h