Is it just me or does MTE fundamentally rely on pointer values being secret? Scenario: Attacker finds address of a dangling pointer, reads tag from it, then repeatedly allocates and deallocates objects in that spot until the tag matches.
-
-
My impression is that MTE is more for devs than for enhancing end-user security. It helps catch non-malicious buffer overflows early so they don't result in vulns in the wild.
-
It’s quite useful for end-user security—it’s not just faster ASAN. You don’t often (really ever) expose pointers to untrusted code, and applications should always try to prevent an attacker from retrying exploitation—ie don’t restart a process after it’s crashed multiple times.
- 3 more replies
New conversation -
-
-
quick check: MTE is "just" giving each allocation a random id that's stuffed in your pointer's high bits to ~prove no one is jumping out of their allocation to access someone else's memory, right?
- End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.