Skip to content

Commit 3b81376

Browse files
nstilt1nstilt1
committed
added TODO.md
1 parent b4ea722 commit 3b81376

File tree

1 file changed

+32
-0
lines changed

1 file changed

+32
-0
lines changed

zeroize_stack/TODO.md

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
# TODO:
2+
3+
* Add support for async closures, possibly using a macro to define the functions if necessary. Use `futures::executor::block_on(f())` to poll the entire future completion inside the stack switched context, and avoid `.await` that yields control outside of the `on_stack()` boundary. Something like:
4+
5+
```rust
6+
pub unsafe fn exec_async_on_sanitized_stack<Fut, F, R>(
7+
stack: &mut [u8],
8+
f: F,
9+
) -> Result<R, Box<dyn std::any::Any + Send>>
10+
where
11+
F: FnOnce() -> Fut + UnwindSafe,
12+
Fut: Future<Output = R>,
13+
{
14+
let mut result = None;
15+
16+
on_stack(stack, || {
17+
result = Some(catch_unwind(AssertUnwindSafe(|| {
18+
// Block on the future inside the heap stack
19+
futures::executor::block_on(f())
20+
})));
21+
});
22+
23+
result.expect("Closure did not run")
24+
}
25+
```
26+
27+
* Handle unwinds better: currently we return a `Result<R, Box<dyn Any + Send>>`. The error case is a little bit tricky to handle, as dropping the error could cause a panic. The program should either panic, or return the panic payload's message.
28+
29+
* Use stacker crate to handle stack size management: if I read some of the `stacker` docs correctly, that crate should be able to extend the size of the stack when it is about to overflow. If that is correct, we could use their techniques to allocate a new stack and zeroize the old one whenever our allocated stack is about to overflow, eliminating the primary remaining `# Safety` comment. Note: we may not be able to zeroize the old stack immediately as the stack switching process likely attempts to return to the old stack once execution completes; we might have to wait until execution completes before zeroizing all heap-stacks.
30+
31+
* Add an `asm!` alternative method for stack bleaching. In theory, it would be better to use `asm!` as we would not need to worry about the size of the allocated switched stack, and it would keep all of the code running on the actual stack and not the heap, possibly preserving performance. The problem with this is that using pointers from `asm!` and rust code to zero the space between the pointers results in segmentation faults on `x86_64`.
32+
* when testing this, assert that the two pointers are not equal to each other and not null.

0 commit comments

Comments
 (0)