Ancestors

Toot

Written by Clathetic on 2024-11-18 at 12:51

Why don’t we use memory allocators like ASAN or afl-dislocator in everyday systems? Yes, they slow things down—but isn’t the trade-off for security worth it? With the sheer computing power we have today, could we afford to shift priorities? Or is performance still king?

=> More informations about this toot | More toots from clathetic@infosec.exchange

Descendants

Written by ~swapgs on 2024-11-18 at 13:05

@clathetic I think it's not that effective for the overhead on real workloads (ASAN alone needs in the ballpark of 2-3 times more memory), your system will panic on lot of non-security bugs while missing things that really matter like intra-object overflows, etc.

cc @hanno who ran a Gentoo with ASAN (https://archive.fosdem.org/2016/schedule/event/csafecode/attachments/slides/1131/export/events/attachments/csafecode/slides/1131/fosdem_gentoo_asan.pdf).

=> More informations about this toot | More toots from swapgs@infosec.exchange

Written by hanno on 2024-11-18 at 13:14

@swapgs @clathetic note the caveat in the related blogpost https://blog.hboeck.de/archives/879-Safer-use-of-C-code-running-Gentoo-with-Address-Sanitizer.html link to https://www.openwall.com/lists/oss-security/2016/02/17/9 tl;dr ASAN isn't made for production, introduces additional vulns. If you want to go down that path, you'd have to redesign a "safe ASAN" for production. Not impossible, but the ASAN we have ain't it.

=> More informations about this toot | More toots from hanno@mastodon.social

Written by Clathetic on 2024-11-18 at 13:59

@hanno @swapgs

you did it already? Really a nice read, thanks 🙂 So it's not only a performance problem

=> More informations about this toot | More toots from clathetic@infosec.exchange

Written by hanno on 2024-11-18 at 14:04

@clathetic @swapgs FWIW, it was certainly valuable, because it uncovered lots of bugs potentially leading to stability and security issues that have been fixed as a result. It would probably be valuable to do it again, just to find more bugs. But I basically gave up on the idea of deploying it for production after that oss-security post.

=> More informations about this toot | More toots from hanno@mastodon.social

Proxy Information

Original URL: gemini://mastogem.picasoft.net/thread/113504046439406726
Status Code: Success (20)
Meta: text/gemini
Capsule Response Time: 321.685063 milliseconds
Gemini-to-HTML Time: 0.901017 milliseconds

This content has been proxied by September (3851b).