> It may also be viable as a security feature in some situations, not just > a way of finding bugs. Depends on how far away the UAF is from the free > call since one other free is all that's needed to lose reliable > detection. It might work better with a FIFO ring buffer rather than the > current fully randomized array (perhaps a mix? dunno).
The canary feature definitely works well as a security feature, since canaries + guard pages means all heap overflows <= canary size are mitigated. They aren't caught right away with the canaries, but they can't hit anything else. I put together the UAF detection feature based on feedback on the canary feature so I haven't had as much time to think about the security properties or ways to improve it. It works well, but it could probably work a lot better.
