argp         posts     research     bugs

Paper notes: Type-based memory allocator hardening notes

Internet Explorer’s new g_hIsolatedHeap mitigation is like a poor man’s type-safe memory reuse implementation. “Poor man’s” since instead of real type-safety, it specifies categories of “dangerous” objects that are placed on the isolated heap. An example full implementation of type-safe memory reuse is Cling, a heap manager that restricts memory reuse to same-type objects.

Of course Firefox’s frame poisoning (since 2010) also implements some type-safe memory reuse ideas.

Btw, the above frame poisoning blog post does not refer to Cling, but a much earlier paper on type-safe memory reuse.

Relevant Twitter link: