Share on Facebook Tweet on Twitter Share on LinkedIn Share by email
RobustHeap: using the heap to improve reliability and security
RobustHeap: using the heap to improve reliability and security

RobustHeap and DH (formerly DieHard) are memory allocators that include a number of features to provide tolerance or detection of memory errors related to out-of-bounds writes and use of dangling pointers.

Overview:

RobustHeap and DH (formerly DieHard) are memory allocators that include a number of features to provide tolerance or detection of memory errors related to out-of-bounds writes, use of dangling (already deleted) pointers, and indirectly, reads from uninitialized memory. RobustHeap and DieHard both rely on randomized object allocation; instead of being sequentially allocated and coalesced, objects are allocated at random from large memory areas, providing over-provisioning (extra space, which can tolerate overwrites) and security (object adjacencies cannot be predicted). Both heaps have a number of parameters designed to trade off between the foregoing and performance.

DH was developed externally by Emery Berger and is available for download both in source and object form. DieHard can be used to harden the Firefox browser and does not require any changes to the Firefox installation to use.

RobustHeap was developed for Microsoft internal use by Ted Hart and Ben Zorn as an experimental platform for increasing the robustness of Microsoft applications. RobustHeap has two primary usage scenarios:

  • Fault tolerant mode: RobustHeap can provide fault tolerance in applications where memory corruption errors would normally cause early program termination or incorrect results. With extra empty space between objects and random object reuse, buffer overrun errors and dangling pointer errors,

    which would often cause memory corruptions in a normal heap, have less impact in RobustHeap and the impact can be reduced by increasing the heap expansion factor.

  • Memory corruption detection: RobustHeap allows unused space in the heap to be filled with canaries that are checked periodically for corruptions. Because the heap is over-provisioned, a larger fraction of the heap contains canary values that will be detected if corrupted. Because objects are allocated and freed in random locations, checking canaries in adjacent objects provides a probabilistic scan of the heap at regular intervals.

Publications:

People