New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support ARMv8.5 memory tagging #42
Comments
Another example of a deterministic mitigation is reserving a tag value for freed memory and setting it on free. The slab allocator can also store the previous random tag in the freed slot and increment it (cyclically) for the next allocation in that slot instead of generating a fresh random tag. It just needs to skip past the values reserved for free memory and the adjacent allocations, similarly to how those would be rejected for a freshly generated random value. |
As said on matrix:
|
~ outline to perform initial testing
Create aarch64 VM (Can just be Arch Linux ARM) with virt-manager (for ease). Once VM is working, pass |
isoalloc recently added support for MTE. |
@jvoisin No, doesn't appear they did. They added software tagging based on TBI (Top Byte Ignore) which doesn't have checks for temporal or bounds issues in the code using it. It doesn't do very much. |
Generating the tags is going to require careful thought. Adjacent allocations should be guaranteed to have different tags, which could be approached by dedicating a bit to whether the slot is at an odd or even index (wasting entropy) or by generating a new random tag until there's no collision which requires a way to fetch the tags from the shadow region or wasting memory on metadata in the allocator.
The existing CSPRNG (ChaCha8 keystream with a small cache) is very efficient and will make generating these tags low overhead, but using a couple more bytes on every allocation will further increase the pressure to optimize it, especially alongside further slab allocation randomization beyond the existing slot selection randomization.
The text was updated successfully, but these errors were encountered: