[Fantasy🧚♂️Time⏰] MTE-Assisted Temporal Memory Safety Protection
ARM Memory Tagging Extension (MTE) is a security feature designed to mitigate common memory-related vulnerabilities by attaching metadata tags to both memory allocations and pointers. The principal feature of MTE is the validation of these tags: upon pointer dereference, the tag of the pointer is checked against the tag of the corresponding memory region. A match allows the operation to continue; a mismatch, however, signals a potential memory error and triggers an appropriate response such as an exception or a warning.
MTE can be used for providing temporal memory safety protection, particularly against use-after-free errors. When memory is freed, MTE assigns a zero tag to that region. Any subsequent dereference of pointers to this region is checked by MTE. If the tag is zero, indicating the memory has been freed, MTE triggers an exception, effectively detecting use-after-free errors. A limitation arises from the finite number of available tags. If tags are reused after exhaustion, MTE may fail to detect use-after-free errors because attacker can use the same tag to bypass MTE.Conversely, not reusing tags can lead to high memory overhead.
MarkUs is a Garbage Collection (GC)-based mechanism for temporal memory safety protection. It operates on the principle that most use-after-free errors stem from the use of dangling pointers. To prevent use-after-free errors, MarkUs ensures that memory regions referred to by dangling pointers are not reused. It achieves this through a quarantine list: when a pointer is freed, it is added to this list. Once the quarantine list reaches a certain size, MarkUs initiates a GC cycle. During GC, MarkUs scans from the stack and global regions, marking all accessible pointers. After the GC cycle, memory regions that are not marked—and hence not accessible—are freed. As a result, MarkUs effectively prevents the reuse of memory regions that dangling pointers reference. Although MarkUs exhibits relatively low performance and memory overhead, its practical use in real-world applications is limited and requires further improvement.
We propose a novel design that amalgamates the advantages of MTE and GC, termed TagGC. This design aims to minimize the overhead associated with GC-based UAF (Use-After-Free) defenses in two key ways. First, TagGC lessens the frequency of GC occurrences. Second, it reduces the cost associated with each GC cycle. The reduction in GC frequency is noteworthy; typically, a GC or memory scan is initiated once the quarantine list reaches a certain size. Importantly, if a heap chunk has available tags, it can be freed immediately rather than being placed in the quarantine list. This strategy decelerates the growth of the quarantine list, thereby diminishing the necessity for frequent GC cycles.
Conversely, MTE inherently contributes to reducing the cost of GC. Garbage Collection requires a recursive scan of the heap to identify all reachable objects. Utilizing MTE, however, renders dangling pointers inaccessible, thereby obviating the need for GC to scan the objects these pointers reference. This reduction in the scanning scope consequently diminishes the cost associated with GC.
- Post title：[Fantasy🧚♂️Time⏰] MTE-Assisted Temporal Memory Safety Protection
- Post author：Zheng Yu
- Create time：2023-11-09 14:39:57
- Post link：https://dataisland.org/2023/11/09/taggc/
- Copyright Notice：All articles in this blog are licensed under BY-NC-SA unless stating additionally.