Abstract
Spatial memory errors such as buffer overflows still rank among the top vulnerabilities in C/C++ programs. Despite much research in the area, the performance overhead of (even partial) mitigations is still too high for practical adoption. To reduce the cost, recent solutions are shifting towards hardware-assisted techniques such as Arm's Memory Tagging Extension (MTE). Unfortunately, state-of-the-art MTE solutions incur high overhead due to frequent memory (re)tagging, especially on the stack. Moreover, they rely on the secrecy of random memory tags and offer probabilistic security guarantees.In this paper, we first provide evidence that random tagging offers limited protection as attackers can deduce the memory tags by means of speculative probing. We then present StickyTags, a deterministic MTE solution that efficiently mitigates bounded spatial memory errors. By organizing the stack and heap layout into per-size-class regions, we can apply persistent memory tags to each region in a predetermined pattern. Hence, the memory tags need only be initialized once, after which they can be reused by objects of the same size class. This eliminates the need for costly memory retagging and allows for a fixed, round-robin assignment of the tags, surrounding every object with large implicit spatial guards. While the size of such guards is bounded by the 4-bit MTE entropy (16 tags), the protection is efficient and deterministic. Indeed, we show StickyTags significantly outperforms existing solutions with realistic runtime overheads for practical adoption (≤ 4% on SPEC CPU2006), while fully mitigating 7 out of 8 spatial CVEs evaluated by a recent probabilistic MTE solution.
Original language | English |
---|---|
Title of host publication | 2024 IEEE Symposium on Security and Privacy (SP) |
Subtitle of host publication | [proceedings] |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 4239-4257 |
Number of pages | 19 |
ISBN (Electronic) | 9798350331301 |
ISBN (Print) | 9798350331318 |
DOIs | |
Publication status | Published - 2024 |
Event | 45th IEEE Symposium on Security and Privacy, SP 2024 - San Francisco, United States Duration: 20 May 2024 → 23 May 2024 |
Conference
Conference | 45th IEEE Symposium on Security and Privacy, SP 2024 |
---|---|
Country/Territory | United States |
City | San Francisco |
Period | 20/05/24 → 23/05/24 |
Bibliographical note
Publisher Copyright:© 2024 IEEE.
Keywords
- buffer overflow
- memory safety
- memory tagging extension
- MTE