(feat): Add memfd secret based allocation (#16)

* (feat): Add memfd secret style allocation

* Fix error on compilation on non-linux targets

* Review changes: move to another file, add tests, add behind feature

* Review changes: alloc_ext deps in test, reorganize allocext

* Apply review suggestion

* Fuzz test findings- close fd when freeing

* Sanity check tests: add tests to probe changes in guard_pages, canary

* Add memfd secret bench

* Review: Add memzero on free, assert unprotected_size + fd <= PAGE_SIZE

* Review: Match memzero to only erase unprotected memory

* Remove/add lints for CI

* Missed file: Remove lint for CI

* Ignore incompatible tests on Windows CI

* Move malloc test to differnet files, allow lint for CI pass

* Move malloc test to different file

* Make Linux CI pass

Cargo.toml

@@ -4,10 +4,10 @@ version = "0.6.3"
 authors = ["quininer kel <[email protected]>"]
 description = "Rust implementation `libsodium/utils`."
 repository = "https://github.com/quininer/memsec"
-keywords = [ "protection", "memory", "secure" ]
+keywords = ["protection", "memory", "secure"]
 documentation = "https://docs.rs/memsec/"
 license = "MIT"
-categories = [ "no-std", "memory-management" ]
+categories = ["no-std", "memory-management"]
 edition = "2018"
 
 [badges]
@@ -22,14 +22,15 @@ libc = { version = "0.2", optional = true }
 
 [target.'cfg(windows)'.dependencies]
 windows-sys = { version = "0.45", default-features = false, features = [
-	"Win32_System_SystemInformation",
-	"Win32_System_Memory",
-	"Win32_Foundation",
-	"Win32_System_Diagnostics_Debug"
+    "Win32_System_SystemInformation",
+    "Win32_System_Memory",
+    "Win32_Foundation",
+    "Win32_System_Diagnostics_Debug",
 ], optional = true }
 
 [features]
-default = [ "use_os", "alloc" ]
+default = ["use_os", "alloc"]
 nightly = []
-use_os = [ "libc", "windows-sys" ]
-alloc = [ "getrandom", "use_os" ]
+use_os = ["libc", "windows-sys"]
+alloc = ["getrandom", "use_os"]
+alloc_ext = ["alloc"]

memsec-test/Cargo.toml

@@ -12,13 +12,17 @@ default-features = false
 [dev-dependencies]
 libc = "0.2"
 quickcheck = "1"
+procspawn = {version = "1.0.0", features = ["test-support"]}
 
 [target.'cfg(unix)'.dev-dependencies]
 libsodium-sys = { version = "0.2" }
 nix = "0.26"
+ipc-channel = "0.18.0"
+serde = "1.0.203"
 
 [features]
-default = [ "alloc", "use_os" ]
+default = [ "alloc", "use_os", "alloc_ext"]
 nightly = [ "memsec/nightly" ]
 use_os = [ "memsec/use_os" ]
 alloc = [ "memsec/alloc" ]
+alloc_ext = [ "memsec/alloc_ext", "use_os" ]

memsec-test/benches/malloc.rs

@@ -6,7 +6,6 @@ extern crate test;
 use std::ptr::NonNull;
 use test::Bencher;
 
-
 #[bench]
 fn memsec_malloc(b: &mut Bencher) {
     b.iter(|| unsafe {
@@ -15,6 +14,15 @@ fn memsec_malloc(b: &mut Bencher) {
     });
 }
 
+#[cfg(unix)]
+#[bench]
+fn memsec_memfd_secret(b: &mut Bencher) {
+    b.iter(|| unsafe {
+        let ptr: NonNull<[u8; 512]> = memsec::memfd_secret().unwrap();
+        memsec::free_memfd_secret(ptr);
+    });
+}
+
 #[cfg(unix)]
 #[bench]
 fn libsodium_malloc(b: &mut Bencher) {

memsec-test/benches/memcmp.rs

@@ -2,49 +2,40 @@
 
 extern crate test;
 
-use test::Bencher;
-use std::mem::size_of_val;
 use libc::c_void;
-
+use std::mem::size_of_val;
+use test::Bencher;
 
 #[bench]
 fn memsec_memeq_eq_bench(b: &mut Bencher) {
     let x: [u8; 1025] = [9; 1025];
     let y: [u8; 1025] = [9; 1025];
 
-    b.iter(|| unsafe {
-        memsec::memeq(x.as_ptr(), y.as_ptr(), size_of_val(&y))
-    });
+    b.iter(|| unsafe { memsec::memeq(x.as_ptr(), y.as_ptr(), size_of_val(&y)) });
 }
 
 #[bench]
 fn memsec_memeq_nq_bench(b: &mut Bencher) {
     let x: [u8; 1025] = [8; 1025];
     let z: [u8; 1025] = [3; 1025];
 
-    b.iter(|| unsafe {
-        memsec::memeq(x.as_ptr(), z.as_ptr(), size_of_val(&z))
-    });
+    b.iter(|| unsafe { memsec::memeq(x.as_ptr(), z.as_ptr(), size_of_val(&z)) });
 }
 
 #[bench]
 fn memsec_memcmp_eq_bench(b: &mut Bencher) {
     let x: [u8; 1025] = [9; 1025];
     let y: [u8; 1025] = [9; 1025];
 
-    b.iter(|| unsafe {
-        memsec::memcmp(x.as_ptr(), y.as_ptr(), size_of_val(&y))
-    });
+    b.iter(|| unsafe { memsec::memcmp(x.as_ptr(), y.as_ptr(), size_of_val(&y)) });
 }
 
 #[bench]
 fn memsec_memcmp_nq_bench(b: &mut Bencher) {
     let x: [u8; 1025] = [8; 1025];
     let z: [u8; 1025] = [3; 1025];
 
-    b.iter(|| unsafe {
-        memsec::memcmp(x.as_ptr(), z.as_ptr(), size_of_val(&z))
-    });
+    b.iter(|| unsafe { memsec::memcmp(x.as_ptr(), z.as_ptr(), size_of_val(&z)) });
 }
 
 #[cfg(unix)]
@@ -54,7 +45,11 @@ fn libsodium_memcmp_eq_bench(b: &mut Bencher) {
     let y: [u8; 1025] = [9; 1025];
 
     b.iter(|| unsafe {
-        libsodium_sys::sodium_memcmp(x.as_ptr() as *const _, y.as_ptr() as *const _, size_of_val(&y))
+        libsodium_sys::sodium_memcmp(
+            x.as_ptr() as *const _,
+            y.as_ptr() as *const _,
+            size_of_val(&y),
+        )
     });
 }
 
@@ -65,7 +60,11 @@ fn libsodium_memcmp_nq_bench(b: &mut Bencher) {
     let z: [u8; 1025] = [3; 1025];
 
     b.iter(|| unsafe {
-        libsodium_sys::sodium_memcmp(x.as_ptr() as *const _, z.as_ptr() as *const _, size_of_val(&z))
+        libsodium_sys::sodium_memcmp(
+            x.as_ptr() as *const _,
+            z.as_ptr() as *const _,
+            size_of_val(&z),
+        )
     });
 }
 
@@ -76,7 +75,11 @@ fn libsodium_compare_nq_bench(b: &mut Bencher) {
     let z: [u8; 1025] = [3; 1025];
 
     b.iter(|| unsafe {
-        libsodium_sys::sodium_compare(x.as_ptr() as *const _, z.as_ptr() as *const _, size_of_val(&z))
+        libsodium_sys::sodium_compare(
+            x.as_ptr() as *const _,
+            z.as_ptr() as *const _,
+            size_of_val(&z),
+        )
     });
 }
 
@@ -87,7 +90,11 @@ fn libsodium_compare_eq_bench(b: &mut Bencher) {
     let y: [u8; 1025] = [9; 1025];
 
     b.iter(|| unsafe {
-        libsodium_sys::sodium_compare(x.as_ptr() as *const _, y.as_ptr() as *const _, size_of_val(&y))
+        libsodium_sys::sodium_compare(
+            x.as_ptr() as *const _,
+            y.as_ptr() as *const _,
+            size_of_val(&y),
+        )
     });
 }
 
@@ -97,7 +104,11 @@ fn libc_memcmp_eq_bench(b: &mut Bencher) {
     let y: [u8; 1025] = [9; 1025];
 
     b.iter(|| unsafe {
-        libc::memcmp(x.as_ptr() as *const c_void, y.as_ptr() as *const c_void, size_of_val(&y))
+        libc::memcmp(
+            x.as_ptr() as *const c_void,
+            y.as_ptr() as *const c_void,
+            size_of_val(&y),
+        )
     });
 }
 
@@ -107,6 +118,10 @@ fn libc_memcmp_nq_bench(b: &mut Bencher) {
     let z: [u8; 1025] = [3; 1025];
 
     b.iter(|| unsafe {
-        libc::memcmp(x.as_ptr() as *const c_void, z.as_ptr() as *const c_void, size_of_val(&z))
+        libc::memcmp(
+            x.as_ptr() as *const c_void,
+            z.as_ptr() as *const c_void,
+            size_of_val(&z),
+        )
     });
 }

memsec-test/benches/memzero.rs

@@ -2,8 +2,8 @@
 
 extern crate test;
 
-use test::Bencher;
 use std::mem::size_of_val;
+use test::Bencher;
 
 #[bench]
 fn ptr_write_zeroed_bench(b: &mut Bencher) {
@@ -19,17 +19,13 @@ fn ptr_write_zeroed_bench(b: &mut Bencher) {
 fn memsec_memzero_bench(b: &mut Bencher) {
     let mut x: [u8; 1025] = [0; 1025];
 
-    b.iter(|| unsafe {
-        memsec::memzero(x.as_mut_ptr(), size_of_val(&x))
-    });
+    b.iter(|| unsafe { memsec::memzero(x.as_mut_ptr(), size_of_val(&x)) });
 }
 
 #[cfg(unix)]
 #[bench]
 fn libsodium_memzero_bench(b: &mut Bencher) {
     let mut x: [u8; 1025] = [0; 1025];
 
-    b.iter(|| unsafe {
-        libsodium_sys::sodium_memzero(x.as_mut_ptr() as *mut _, size_of_val(&x))
-    });
+    b.iter(|| unsafe { libsodium_sys::sodium_memzero(x.as_mut_ptr() as *mut _, size_of_val(&x)) });
 }