GrapheneOS's Hardened Malloc: A Deep Dive into its Security Enhancements
2025-09-24
GrapheneOS's hardened memory allocator, Hardened Malloc, employs multiple techniques to combat memory corruption vulnerabilities. It leverages ARM's Memory Tagging Extension (MTE) to detect out-of-bounds reads and writes, and use-after-free vulnerabilities. For devices lacking MTE support, Hardened Malloc utilizes canaries and randomly sized guard pages for enhanced security. Its unique double quarantine mechanism, using random replacement and FIFO queues, significantly increases the difficulty of use-after-free exploits. Hardened Malloc's clean design facilitates auditing and maintenance, providing GrapheneOS with a superior level of security.
Read more
Development
Memory Security