I am tentatively exploring the usage of gwp-asan. From the documents, I got the impression that gwp-asan delivers extremely low cost with protections at certain degree. Given that said, the sampling rate is typically very low. In that sense, as a normal user, how should I understand the security protection capability of gwp-asan? And on which baseline? Also, suppose I want to use it to protect my software, what would be the best practice to tune the sampling rate?
Thank you very much!
We use GWP-ASan on Chromium and Android because (low chance of catching a bug) * (many many devices) == (good chance of catching all bugs eventually). We consider GWP-ASan to be a bug detection tool, not a security mitigation.
For software with lower user count, the best bet is to turn the sampling rate up until you see an unacceptable performance overhead. When you’re raising the sampling rate, you should add some logging to check that the pool isn’t being constantly exhausted, in which case you’ll need to bump MaxSimultaneousAllocations (generally, raising them inversely linearly is a conservative approach). So, SampleRate = 5000, MSA = 16 becomes SampleRate = 2500, MSA = 32, etc.
Don’t forget to consider how any crash reports from users would get back to you :).
Hope that helps,