The core of vm_kern is now kmem_{alloc,free,...}_guard, kmem_alloc, kernel_memory_allocate… are all wrappers around it.
It has 2 cool features… one is that we ported Sad Feng Shui to the kernel VM, by having more “pointer ranges”. When the allocation comes from kalloc_type_var, it uses types to determine the layout. For nameless allocations, it uses a seeded hash of the allocation backtrace.
Jun 7, 2022 • 5 tweets • 1 min read
[thread] Oh. By the way. iOS 16 is the time to pour one to good old friends that left.
I’ll add tweets as people find them.
And I’ll start with a freebie: the venerable voucher user data attribute, is no longer. I know it had already gone out of favor recently, but now it’s really entirely gone.
🍻 Let’s pour one to voucher user data🍻
Jun 5, 2022 • 6 tweets • 2 min read
I think I vastly disagree. From a defensive PoV, I know ideas aren’t “new”, but making them practical and shippable is actually at least as much work as coming up with the ideas if not more.
Commonly referred to as the “second 90% of the project”.
PGZ is a cool feature (Probabilistic Guard Zalloc) which has a mode to find out-of-bounds bugs passively github.com/apple-oss-dist…
It is a cute cheap thing that aligns zone chunks “rightward” and can slide the last allocation, followed by a guard page.
Mar 30, 2022 • 5 tweets • 2 min read
I’m not trying to mock them too hard either. but 20+% memory cost is not “low perf overhead”. I think the problem is that academia has decided that the goal is “shippable in products” which is IMO invalid.
The best products/shippable ideas are a refinement and …
… compromise and subtle balance between tons of ideas, by typically making them simpler in a way that academia would not accept (for example making a mitigation probabilistic with a less than 99.9% protection rate, or other “impure” simplifications)
...
Mar 13, 2022 • 4 tweets • 1 min read
🧵 15.2 aligned XNU had 2 really important memory safety mitigations.
The first one is the use of the read-only (PPL-protected) allocator, which has been used to protect the chain from current_thread() to the various creds and labels.
...
But really, I want to present an extremely elegant (I can say so because it wasn't my idea) memory safety mitigation in the heap that landed in that kernel.
A colleague of mine keeps saying well thought mitigations compose and reinforce each other…
Feb 2, 2022 • 4 tweets • 3 min read
@_saagarjha@Catfish_Man I do love C bashing but in this instance it's not a C issue. Most fancier data structures (and arrays count as "fancy" here) require external storage and in a kernel doing allocations is not a given and that makes them rare data structures.
@_saagarjha@Catfish_Man Concurrency similarly needs its objects (or the path to them) not to be relocated all the time which requires functional data structures and well you end up with lists fairly quickly.
Nov 29, 2021 • 5 tweets • 4 min read
@jsherma100@s1guza That was a really nice write up of the zone allocator work in passing Ty.
@jsherma100@s1guza Btw: zone_pva_t is 32 bits so that the metadata is 16 bytes per page (down from 24 in iOS 13) and that zone require inlines with LTO and do no stinkin’ multiplication (so that we can sprinkle it all over)
In general post exploitation mitigations are “bad” because they fight a lost battle. So you want to make sure that they do not introduce insane complexity or costs.
In the instance here per function aslr (I suppose…
@Gok@lazytyped … as I didn’t look at the implementation) requires for your functions to be page aligned so that you can relocate them. It will introduce padding and cost you wired memory, will possibly hurt inlining.
Nov 19, 2021 • 5 tweets • 1 min read
There’s an obvious simple reason why: context switches.
With more words. A weak CAS is an ll/sc. if you got context switched between an ldrex and strex well it’ll fail.
There’s a more fundamental reason which is that apple SOCs there’s a decrementer programmed to generate the equivalent of an SEV regularly. But even without that the context switch is reason enough. I wouldn’t even be surprised it the HW is allowed to do it for other reasons too
Aug 12, 2021 • 4 tweets • 2 min read
@spendergrsec We typically do not comment on future roadmaps so I won’t go in details. But yes unlike autoslab we rely on manual adoption and it isn’t thorough yet, and covers zones (~= sub-page) for now.
We are indeed type based which gives us precise free sites (the free site pins types)
@spendergrsec Overall from what I gather from autoslab we made significantly different choices in the details but it is completely the same spirit.
Eventually this will be Opensourced and I can’t wait to show our work :)
Jun 30, 2020 • 14 tweets • 3 min read
Today is dedicated to the last thread about obj-c optimizations...
IMP Caches, the crazy stuff: precomputing them (memory).
@mikeash / @AirspeedSwift's talk covers this. This structure holds Writeable runtime metadata for the classes to work at runtime. But only half of that 8-word structure was used commonly.
Jun 28, 2020 • 12 tweets • 3 min read
Here is to the last 2 years of optimizing the Obj-C Runtime for speed and memory. A great many deal of people were involved.
Some of it was covered already, and I will post several of these threads over the next few days.... and tonight we'll start with last year's work.
The Obj-C dynamic dispatch comes with many costs, this is common "knowledge". However the details of it are rarely known.
Beside the obvious cost of the h-lookup, it comes with 4 other kinds of costs:
- codegen size
- optimization barrier
- static metadate
- runtime metadata
Re the last discussions, dispatch_async() can be used for 3 different things:
(1) asynchronous state machines (onto the same queue hierarchy), which is a way to address C10k and is fast
(2) getting concurrency (a better pthread_create())
(3) parallelism (dispatch_apply()
(1) provided you use dispatch_async_f for the shortest things to avoid allocating blocks, dispatch is fast, and it's great almost whatever the size of your workitem (assuming you do something meaningful).
All is now live in Beta 6!