Conversation

TIL: The most popular 64-bit architecture in the world has a small address space. Kills any hope of never reusing malloc addresses.

Quote Tweet

Daniel Micay

@DanielMicay

Mar 22, 2021

Replying to @DanielMicay @pcwalton and 2 others

On arm64, you typically only have a 39-bit address space although it can be 48-bit like x86_64. The kernel takes half so it's really 38-bit or 47-bit. 38-bit is already far too small to use hardened_malloc with the normal configuration. 47-bit is 128 TiB which isn't limitless.

Replying to

you get that sweet hardware memory tagging tho

Replying to

and

ARMv8.4 memory tagging is really sweet. It's currently only 4 bit so you only give up the top byte for it. It's ARMv8.3 pointer authentication that's super greedy for bits because you want as large of a signature as possible. With a 48-bit address space, not much room for that.

Replying to

and

I find memory tagging much more compelling because you can do strong deterministic mitigations. Can reserve a tag for free heap data, metadata, shadow stack, 16-byte granularity hardware canaries, etc. Choosing random tags is just a baseline. You can do a lot better than that.

Replying to

and

So, for example, choose a random tag for an allocation. On free, set it to the reserved tag. On allocation, increment the previous random tag and set it to that. Can get deterministic detection of use-after-free until it wraps all the way back around and reuses a previous tag.

Replying to

and

It's typically talked about in terms of doing what HWAsan (source.android.com/devices/tech/d) did with arm64 TBI (Top Byte Ignore) using software checks with randomly chosen tags. MTE can be a lot more compelling than just giving a 127/128 chance to catch inter-object corruption though.

source.android.com

HWAddressSanitizer | Android Open Source Project

10:45 PM · Mar 22, 2021Twitter Web App

Replying to

and

Memory tagging is essentially an approximation of memory safety at a low level. Pointer authentication protects pointers from being forged which is a much different thing. It's limiting what an attacker can do with memory corruption, not directly preventing it from happening.

Replying to

and

I do think pointer authentication is useful and look forward to using it but I think they could have done more compelling stuff instead. It gives you 5 keys for signing 5 classes of pointer + 64-bit context pairs. Signing (return address, stack frame location) is one use case.