Paper notes: Type-based memory allocator hardening notes
Internet Explorer’s new
g_hIsolatedHeap mitigation is like a poor man’s
type-safe memory reuse implementation. “Poor man’s” since instead of real
type-safety, it specifies categories of “dangerous” objects that are placed
on the isolated heap. An example full implementation of type-safe memory
reuse is Cling,
a heap manager that restricts memory reuse to same-type objects.
Of course Firefox’s frame poisoning (since 2010) also implements some type-safe memory reuse ideas.
Btw, the above frame poisoning blog post does not refer to Cling, but a much earlier paper on type-safe memory reuse.
Relevant Twitter link: https://twitter.com/_argp/statuses/498798680863145984