Conversation

one of the most interesting things about this work is that it might be the gateway drug that finally leads to widespread deployment of real memory safety for C and C++

Quote Tweet

Kostya Serebryany

@kayseesee

Aug 3, 2019

Adopting the Arm Memory Tagging Extension in Android security.googleblog.com/2019/08/adopti

Replying to

I don't see how they have anything to do with real memory-safety. They're yet another, very good compared to past attempts, mechanism to catch a fairly large portion of memory errors.

Replying to

and

He's saying that it paves the way for a much more complete memory safety implementation for C by providing efficient probabilistic detection for most of the bugs (and deterministic detection for a decent subset). Latent memory corruption is pervasive but this will kill it off.

Replying to

and

It doesn't solve that a much more complete deterministic memory safety implementation for C will be very expensive. There are definitely use cases for tags beyond the obvious though. It provides a way of doing cheap 16 byte granularity guard pages and I can think of other uses.

Replying to

and

An additional barrier to a memory safety implementation for C is many undesirable things like some intra-object memory corruption are permitted. It's similar to how automatic integer overflow checking for C is rendered mostly useless for types smaller than int due to promotion.

Replying to

and

Android is using automatic integer overflow checking to harden an increasingly large portion of the OS, but especially the media code where it's almost completely deployed has extensive use of arithmetic on u16, etc. where it gets promoted, bypasses checks, and then truncated.

Replying to

and

Something similar happens with a memory corruption mitigation, due to well-defined forms of overflows between fields within objects. Similarly if custom allocators, etc. are used, it can often end up neutering this because it often doesn't actually count as an undefined overflow.

8:44 PM · Aug 5, 2019Twitter Web App

Replying to

and

I think tagging will help a lot by clearing out most of the latent memory corruption bugs. It's only going to catch inter-object corruption though, and I'd expect it only gets deployed in mainstream OSes for heap (malloc, primarily) in production, not stack variables or frames.