Hi Shuai,
We use GWP-ASan on Chromium and Android because (low chance of catching a
bug) * (many many devices) == (good chance of catching all bugs
eventually). We consider GWP-ASan to be a bug detection tool, not a
security mitigation.
For software with lower user count, the best bet is to turn the sampling
rate up until you see an unacceptable performance overhead. When you're
raising the sampling rate, you should add some logging to check that the
pool isn't being constantly exhausted, in which case you'll need to bump
MaxSimultaneousAllocations (generally, raising them inversely linearly is a
conservative approach). So, SampleRate = 5000, MSA = 16 becomes SampleRate
= 2500, MSA = 32, etc.
Don't forget to consider how any crash reports from users would get back to
you :).
Hope that helps,
Mitch.
On Sat, Dec 25, 2021 at 3:25 AM Shuai Wang via llvm-dev <
llvm-dev at lists.llvm.org> wrote:
> Hello!
>
> I am tentatively exploring the usage of gwp-asan. From the documents, I
> got the impression that gwp-asan delivers extremely low cost with
> protections at certain degree. Given that said, the sampling rate is
> typically very low. In that sense, as a normal user, how should I
> understand the security protection capability of gwp-asan? And on which
> baseline? Also, suppose I want to use it to protect my software, what would
> be the best practice to tune the sampling rate?
>
> Thank you very much!
>
> Best,
> Shuai
> _______________________________________________
> LLVM Developers mailing list
> llvm-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20220104/152d7919/attachment.html>