Hardened malloc() for FreeBSD

Is there a security oriented memory allocator for FreeBSD like GrapheneOS/Linux's Hardened_malloc library https://github.com/GrapheneOS/hardened_malloc or OpenBSD's Otto-malloc https://man.openbsd.org/malloc.3 where you can enable additional checks? I'd like to do additional hardening on some of my servers where I'm concerned about memory based zero-days based on things using historically difficult to implement perfectly libraries like libexpat.
 
Have you tried using those other mallocs on FreeBSD? Generally, a malloc implementation runs portably. Whether the hardening part needs any kernel features is to be tried out.
 
See the jemalloc() manual page. Some hardening checks are available when jemalloc is built with --enable-debug, however this is disabled by default in production. You could recompile a development version of FreeBSD, but if your concern is your own application code, you should consider Clang's -fsanitize=address or something like Valgrind.
Is there a way to only enable security those additional hardening options for some precompiled software from pkg? I don't think I need it everywhere just a few worrysome areas like libexpat and some networked daemons.
 
Have you tried using those other mallocs on FreeBSD? Generally, a malloc implementation runs portably. Whether the hardening part needs any kernel features is to be tried out.
I did look into it but HardenedMalloc used Linux specific features. I suppose taking OpenBSD's malloc and trying to port that could work. I don't think I have the C skills yet to do that though I could take a crack at it. Has anyone ported OttoMalloc to FreeBSD before?
 
Is there a way to only enable security those additional hardening options for some precompiled software from pkg? I don't think I need it everywhere just a few worrysome areas like libexpat and some networked daemons.

No, you need to recompile the system and all the ports to use the hardened malloc from jemalloc.

As others have said, you can recompile individual ports with a different malloc implementation. But if you're recompiling anyway, I'd recommend that you try clang's address sanitizer and tools like valgrind. If you're worried about libexpat and networked daemons, you might go a different route and try to sandbox them using Capsicum, but that will take significant development work.
 
Back
Top