Conversation

John Regehr
@johnregehr
one of the most interesting things about this work is that it might be the gateway drug that finally leads to widespread deployment of real memory safety for C and C++
Quote Tweet
Kostya Serebryany
@kayseesee
Adopting the Arm Memory Tagging Extension in Android security.googleblog.com/2019/08/adopti
4
96
Rich Felker
@RichFelker
Replying to
@johnregehr
I don't see how they have anything to do with real memory-safety. They're yet another, very good compared to past attempts, mechanism to catch a fairly large portion of memory errors.
1
1
Daniel Micay
@DanielMicay
Replying to
@RichFelker
and
@johnregehr
He's saying that it paves the way for a much more complete memory safety implementation for C by providing efficient probabilistic detection for most of the bugs (and deterministic detection for a decent subset). Latent memory corruption is pervasive but this will kill it off.
2
1
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
@RichFelker
and
@johnregehr
It doesn't solve that a much more complete deterministic memory safety implementation for C will be very expensive. There are definitely use cases for tags beyond the obvious though. It provides a way of doing cheap 16 byte granularity guard pages and I can think of other uses.
1
2
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
@RichFelker
and
@johnregehr
Android is using automatic integer overflow checking to harden an increasingly large portion of the OS, but especially the media code where it's almost completely deployed has extensive use of arithmetic on u16, etc. where it gets promoted, bypasses checks, and then truncated.
1
2
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
@RichFelker
and
@johnregehr
Something similar happens with a memory corruption mitigation, due to well-defined forms of overflows between fields within objects. Similarly if custom allocators, etc. are used, it can often end up neutering this because it often doesn't actually count as an undefined overflow.
1
1
Show replies