Conversation

TIL: The most popular 64-bit architecture in the world has a small address space. Kills any hope of never reusing malloc addresses.

Quote Tweet

Daniel Micay

@DanielMicay

Mar 22, 2021

Replying to @DanielMicay @pcwalton and 2 others

On arm64, you typically only have a 39-bit address space although it can be 48-bit like x86_64. The kernel takes half so it's really 38-bit or 47-bit. 38-bit is already far too small to use hardened_malloc with the normal configuration. 47-bit is 128 TiB which isn't limitless.

Replying to

you get that sweet hardware memory tagging tho

Replying to

and

ARMv8.4 memory tagging is really sweet. It's currently only 4 bit so you only give up the top byte for it. It's ARMv8.3 pointer authentication that's super greedy for bits because you want as large of a signature as possible. With a 48-bit address space, not much room for that.

10:36 PM · Mar 22, 2021Twitter Web App

Replying to

and

I find memory tagging much more compelling because you can do strong deterministic mitigations. Can reserve a tag for free heap data, metadata, shadow stack, 16-byte granularity hardware canaries, etc. Choosing random tags is just a baseline. You can do a lot better than that.

Replying to

and

So, for example, choose a random tag for an allocation. On free, set it to the reserved tag. On allocation, increment the previous random tag and set it to that. Can get deterministic detection of use-after-free until it wraps all the way back around and reuses a previous tag.

Show replies