Generating and setting memory tags for each allocation will become an important responsibility of the malloc implementation for ARMv8.5 MTE. The existing Top Byte Ignore (TBI) was already usable for this use case, but required lots of instrumentation: arxiv.org/ftp/arxiv/pape.
Conversation
I have an issue tracking implementing this for my hardened allocator when the hardware becomes available:
github.com/AndroidHardeni
The instruction set extensions are public and support was merged in LLVM, but there would be no way to test a prototype implementation right now.
1
1
As long as the allocator implementation guarantees distinct tags for adjacent allocations, an overflow or underflow into an adjacent heap allocations is guaranteed to be detected. For other cases it would usually be a probabilistic mitigation based on 4-8 bit entropy random tags.
Replying to
Tagging can also work well for use-after-free detection. A tag value can be reserved the special case of marking free memory. The slab allocator could save the previous random tag in the freed slot and increment it (cyclically, and skipping adjacent tag values) for the next use.
1
1
There's a lot more to this than simply generating and storing a random tag for every allocation. It can easily provide deterministic mitigation against accesses into adjacent allocations and use-after-free for a limited # of free cycles. It's an extremely nice upcoming feature.
1