Sticky Tags: Efficient and Deterministic Spatial Memory Error Mitigation using Persistent Memory Tags

Floris Gorter*, Taddeus Kroes, Herbert Bos, Cristiano Giuffrida

*Corresponding author for this work

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review

Abstract

Spatial memory errors such as buffer overflows still rank among the top vulnerabilities in C/C++ programs. Despite much research in the area, the performance overhead of (even partial) mitigations is still too high for practical adoption. To reduce the cost, recent solutions are shifting towards hardware-assisted techniques such as Arm's Memory Tagging Extension (MTE). Unfortunately, state-of-the-art MTE solutions incur high overhead due to frequent memory (re)tagging, especially on the stack. Moreover, they rely on the secrecy of random memory tags and offer probabilistic security guarantees.In this paper, we first provide evidence that random tagging offers limited protection as attackers can deduce the memory tags by means of speculative probing. We then present StickyTags, a deterministic MTE solution that efficiently mitigates bounded spatial memory errors. By organizing the stack and heap layout into per-size-class regions, we can apply persistent memory tags to each region in a predetermined pattern. Hence, the memory tags need only be initialized once, after which they can be reused by objects of the same size class. This eliminates the need for costly memory retagging and allows for a fixed, round-robin assignment of the tags, surrounding every object with large implicit spatial guards. While the size of such guards is bounded by the 4-bit MTE entropy (16 tags), the protection is efficient and deterministic. Indeed, we show StickyTags significantly outperforms existing solutions with realistic runtime overheads for practical adoption (≤ 4% on SPEC CPU2006), while fully mitigating 7 out of 8 spatial CVEs evaluated by a recent probabilistic MTE solution.

Original languageEnglish
Title of host publication2024 IEEE Symposium on Security and Privacy (SP)
Subtitle of host publication[proceedings]
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages4239-4257
Number of pages19
ISBN (Electronic)9798350331301
ISBN (Print)9798350331318
DOIs
Publication statusPublished - 2024
Event45th IEEE Symposium on Security and Privacy, SP 2024 - San Francisco, United States
Duration: 20 May 202423 May 2024

Conference

Conference45th IEEE Symposium on Security and Privacy, SP 2024
Country/TerritoryUnited States
CitySan Francisco
Period20/05/2423/05/24

Bibliographical note

Publisher Copyright:
© 2024 IEEE.

Keywords

  • buffer overflow
  • memory safety
  • memory tagging extension
  • MTE

Fingerprint

Dive into the research topics of 'Sticky Tags: Efficient and Deterministic Spatial Memory Error Mitigation using Persistent Memory Tags'. Together they form a unique fingerprint.

Cite this