MTE: Memory Tag Extension

References:

MTE aims to increase the memory safety of code written in unsafe languages without requiring source changes, and in some cases, without requiring recompilation.

MTE provides a mechanism to detect both main categories of memory safety violation (spatial & temporal). MTE assists the detection of potential vulnerabilities before deployment by increasing the effectiveness of testing and fuzzing. MTE also assists detection of vulnerabilities at scale after deployment.

  • Sequential safety violations where memory is accessed immediately before or after the true bounds can always be detected.

  • “Wild” violations to arbitrary locations in the address space can be detected probabilistically.

  • In dynamic linked systems, legacy code benefits from MTE for heap allocations without recompilation;

  • Application of MTE to the stack requires recompilation.

    • MTE assumes stack pointer is trustworthy.
    • combine MTE with Branch Target Identification (BTI) and Pointer Authentication Code (PAC) to reduce the probability that a gadget exists that would allow an attacker to take control of the stack pointer.

  • MTE 与 ARM Pointer Authentication 中的tag使用的是共同的指针比特区位。

MTE for Memory Safety

Lock and Key:

  • Locks on memory
    • 4 bits to each 16 bytes of physical memory.
    • Tag Granule.
  • Keys in poniters, checked on access.
    • Top Byte Ignore(TBI) on Armv8-A
    • When TBI is enabled, the top byte of a virtual address is ignored when using it as an input for address translation.
    • 4 bits of the top byte are used to provide the key.

As there are a imited number of tag bits available, it cannot be guaranteed that two memory allocations will have different tags for any specific execution.

MTE impl in arch

MTE adds a new memory type. Normal Tagged Memory.

  • Loads and stores to this new memory type perform an access where the tag present in the top byte of the address register is compared with the tag stored in memory.

Software support for MTE

  • [The Arm64 memory tagging extension in Linux]()

More

Created Jul 5, 2021 // Last Updated Feb 8, 2023

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?