grsecurity.net/how_autoslab_… nice article here. We're shipping, in iOS 15 and aligned releases, a protection with a very similar spirit. we call it kalloc_type(). Our impl has different characteristics, e.g. XNU has zone sequestering, so cross-zone attacks isn't a thing.
2
9
4
61
Based on the API name, I assume this isn't used for everything? It's not clear from the current blog (since the purpose was the security eval, not debugging or other aspects), but we get some nice properties out of having AUTOSLAB applied to everything:
This tweet is unavailable
2
We typically do not comment on future roadmaps so I won’t go in details. But yes unlike autoslab we rely on manual adoption and it isn’t thorough yet, and covers zones (~= sub-page) for now. We are indeed type based which gives us precise free sites (the free site pins types)
3
2
3
the first implementation of AUTOSLAB was type based too (wherever we could infer an lhs type from kmalloc, that is), resulting in about 9k autoslabs on linux 5.4/amd64/allyes. then we decided to see how far we can take it and went with the per call-site conversion :).

Aug 12, 2021 · 8:02 PM UTC