Exploring Grapheneos Secure Allocator: Hardened Malloc

Posted3 months agoActive3 months ago

r4um

106 points

10 comments

synacktiv.comTechstory

calmmixed

Debate

60/100

Memory SafetyAllocator SecurityGrapheneos

Key topics

Memory Safety

Allocator Security

Grapheneos

The article explores GrapheneOS's Hardened Malloc, a secure memory allocator, sparking a discussion on its effectiveness and limitations in preventing memory safety bugs and remote execution attacks.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

Peak period

8-10h

Avg / period

1.7

Key moments

01Story posted
Sep 24, 2025 at 5:56 AM EDT
3 months ago
Step 01
02First comment
Sep 24, 2025 at 11:48 AM EDT
6h after posting
Step 02
03Peak activity
3 comments in 8-10h
Hottest window of the conversation
Step 03
04Latest activity
Sep 25, 2025 at 11:02 AM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (10 comments)

Showing 10 comments

mrtesthah

3 months ago

2 replies

Relatedly, check out Apple’s own kalloc_type allocator that they use with MTE as well as newer silicon-level changes for extremely broad memory integrity enforcement:

https://security.apple.com/blog/memory-integrity-enforcement...

pizlonator

3 months ago

Yeah that work is way more impressive.

I like how they demonstrated exactly how it impacts known exploits for example

pjmlp

3 months ago

Or Solaris SPARC ADI memory allocator,

https://docs.oracle.com/cd/E88353_01/html/E37843/malloc-3c.h...

pizlonator

3 months ago

4 replies

The problem with these kinds of hardened allocators is that:

- They impact performance.

- They don’t prevent the attacker from pivoting a memory safety bug to remote execution.

- They get oversold (like calling it “secure”).

That’s not to say there aren’t allocator mitigations that help. It’s just that this isn’t it. Quarantining for example just means the attacker has to do a bit more acrobatics, but it won’t stop them.

I think what Apple is doing with typed allocations is much more principled and they have data to prove it in their blog posts

manbash

3 months ago

1 reply

> They don’t prevent the attacker from pivoting a memory safety bug to remote execution.

I'm confused. Isn't this potentially preventing some classes of memory-safety bugs?

pizlonator

3 months ago

No, it’s not

OneDeuxTriSeiGo

3 months ago

1 reply

> I think what Apple is doing with typed allocations is much more principled and they have data to prove it in their blog posts

This is one of the things that hardened malloc is doing (and is part of the post). Newer pixels are shipping with MTE support and graphene's malloc leverages MTE as much as possible.

skavi

3 months ago

They’re referring to kalloc_type [0] [1].

[0]: https://security.apple.com/blog/towards-the-next-generation-...

[1]: https://security.apple.com/blog/what-if-we-had-sockpuppet-in...

drnick1

3 months ago

Yes, but it also means you need an Apple device, and hence a locked down system. You also need to take all of Apple's privacy claims at face value. No thanks.

codedokode

3 months ago

There might be processes that have high privileges, but don't need high performance, for example: sudo utility, new USB device detection daemon, bluetooth communication daemon.

Also idea described in Apple's article (never reuse allocated addresses for other types) cannot be easily implemented for any allocator. Consider a memory pipe (circular buffer), where one process pushes messages and another reads them. How do you implement Apple-style memory safety here? One of the ideas is of course to map the buffer multiple times, so that every allocation returns a new virtual address, but how many syscalls you will need for that and how badly that would impact performance.

View full discussion on Hacker News

ID: 45358216Type: storyLast synced: 11/20/2025, 1:42:01 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN