Conversation

Just published a new research paper that analyzes the security properties of memory tagging as a vulnerability & exploit mitigation technology (cc

@JosephBialek

) We'd love to discuss & hear other perspectives :) Our TL;DR conclusions are below github.com/microsoft/MSRC

159

305

Replying to

and

For SC it really depends on what you decide to do with checks in the speculative path. To me MTE is not an isolation primitive, so the check can be "delayed" at retirement, in which case you don't gather much information from a SC

Replying to

and

Minor nit, you get 100% uaf for freed objects if you dedicate a tag to them. But really, as you mention, that primitive is basically useless

Replying to

and

Yeah, we mention that retagging on free or assigning a freed tag is an option, but we think it has poor cost/benefit tradeoff at this point

Replying to

and

Agreed. That primitive is basically useless and we also have software stuff that is good enough (zero on alloc)

Replying to

and

It's useful to prevent access once the memory has been recycled for other allocations though, so while setting a tag on free isn't very useful (if there's zero-on-free), the choice of tag for the next allocation is more important. Can do a lot to mitigate use-after-free with it.

4:23 AM · Mar 7, 2020Twitter Web App