Hardening Overview
compatmalloc implements multiple layers of heap hardening, each targeting a different exploitation primitive. All hardening features are enabled by default through the hardened Cargo feature set and can be toggled individually.
Feature flags
| Feature | Default | Description |
|---|---|---|
quarantine | On | Delay memory reuse to detect use-after-free |
guard-pages | On | Place inaccessible pages around allocations |
slot-randomization | On | Randomize slot selection within size classes |
canaries | On | Write canary bytes after allocations to detect overflows |
poison-on-free | On | Fill freed memory with a poison pattern |
write-after-free-check | On | Verify poison bytes on eviction from quarantine |
zero-on-free | On | Zero memory after free (defense against information leaks) |
To build with all hardening (the default):
cargo build --release
To build with no hardening (passthrough performance baseline):
cargo build --release --no-default-features
To build with specific features:
cargo build --release --no-default-features --features quarantine,guard-pages
Defense-in-depth model
The hardening features form layers that work together:
Allocation request
|
v
[Slab allocator with per-CPU arenas]
|
+-- Slot randomization (unpredictable address)
+-- Canary bytes (detect buffer overruns)
+-- Out-of-band metadata (prevent metadata corruption)
+-- Guard pages (hardware-enforced bounds)
|
On free:
|
+-- Double-free detection (metadata flag check)
+-- Poison fill (detect use-after-free reads)
+-- Quarantine (delay reuse, detect stale writes)
+-- Zero-on-free (clear sensitive data)
Each layer provides value independently, but their combination makes exploitation significantly more difficult. An attacker must simultaneously bypass:
- Canary validation to overflow without detection.
- Poison checking to write after free without detection.
- Quarantine delays to reclaim a specific address.
- Guard pages to overflow beyond the allocation region.
- Out-of-band metadata to corrupt heap management data.
- Slot randomization to predict allocation addresses.
Per-feature documentation
- Use-After-Free Detection -- Quarantine and poison-based detection.
- Heap Metadata Protection -- Out-of-band metadata table.
- Stale Pointer Mitigation -- Delayed reuse through quarantine.
- Guard Pages -- Hardware-enforced memory boundaries.
- ARM Memory Tagging (MTE) -- Hardware memory tagging on ARM64 (replaces canaries, poison, and zero-on-free).