Conversation

Daniel Micay
@DanielMicay
Linux on 64-bit ARM is most commonly used with 4k pages and 3-level page tables. This results in a 39-bit address space rather than the full 64-bit address space. It's possible to use 4-level page tables and then you get a 48-bit address space like you typically have on x86_64.
1
31
Daniel Micay
@DanielMicay
Linux also supports using 16k and 64k pages as the smallest unit. You lose compatibility with normal 32-bit ARM code and other advantages of 4k pages. For security purposes, 4k pages are best for the most granular memory protection and reduced overhead for sparse memory usage.
2
6
Daniel Micay
@DanielMicay
It's nice to have the full 48-bit address for a lot of security features beyond just higher entropy ASLR. It's very useful for features based on shadow regions, quarantines, etc. ARMv8.3 pointer authentication uses spare bits so there's a conflict between it and other features.
1
4
Daniel Micay
@DanielMicay
Replying to
@DanielMicay
ARMv8.4 brings memory tagging. It's another feature conflicting with pointer authentication, since it needs 4 bits for the pointer tags. It also needs address space. Pointer authentication really seems like a mistake. They really should have done hardware shadow stacks instead.
1
6
Daniel Micay
@DanielMicay
Android is already using software shadow stacks (which work better on arm64 than x86_64) and type-based CFI. Memory tagging could be used to mimic hardware shadow stack support with a reserved tag. Primary use case for pointer authentication is better done in a deterministic way.
3
5
Daniel Micay
@DanielMicay
Deterministic protections are so much nicer than probabilistic ones prone to bypasses through leaks and side channels. Nicest part of memory tagging is being able to reserve at least one tag for protected metadata and hardware canaries. Random tags are only a starting point.
1
4