research-article

Open access

Multi-Tag: A Hardware-Software Co-Design for Memory Safety based on Multi-Granular Memory Tagging

Authors:

Martin Unterguggenberger,

David Schrammel,

Robert Schilling,

Stefan MangardAuthors Info & Claims

ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

Pages 177 - 189

https://doi.org/10.1145/3579856.3590331

Published: 10 July 2023 Publication History

All formats PDF

Abstract

Memory safety vulnerabilities are a severe threat to modern computer systems allowing adversaries to leak or modify security-critical data. To protect systems from this attack vector, full memory safety is required. As software-based countermeasures tend to induce significant runtime overheads, which is not acceptable for production code, hardware assistance is needed. Tagged memory architectures, e.g., already offered by the ARM MTE and SPARC ADI extensions, assign meta-information to memory objects, thus allowing to implement memory safety policies. However, due to the high tag collision probability caused by the small tag sizes, the protection guarantees of these schemes are limited.

This paper presents Multi-Tag, the first hardware-software co-design utilizing a multi-granular tagging structure that provides strong protection against spatial and temporal memory safety violations. By combining object-granular memory tags with page-granular tags stored in the page table entries, Multi-Tag overcomes the limitation of small tag sizes. Introducing page-granular tags significantly enhances the probabilistic protection capabilities of memory tagging without increasing the memory overhead or the system’s complexity. We develop a prototype implementation comprising a gem5 model of the tagged architecture, a Linux kernel extension, and an LLVM-based compiler toolchain. The simulated performance overhead for the SPEC CPU2017 and nbench-byte benchmarks highlights the practicability of our design.

References

[1]

Aingaran 2015. M7: Oracle’s Next-Generation Sparc Processor. IEEE Micro (2015).

[2]

Akritidis 2008. Preventing Memory Error Exploits with WIT. In S&P’08.

[3]

Akritidis 2009. Baggy Bounds Checking: An Efficient and Backwards-Compatible Defense against Out-of-Bounds Errors. In USENIX’09.

[4]

Iván Arce. 2004. The Shellcode Generation. IEEE Secur. Priv. (2004).

Digital Library

[5]

Bernhard 2022. xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64. In EURO S&P’22.

[6]

Binkert 2011. The gem5 simulator. SIGARCH Comput. Archit. News (2011).

Digital Library

[7]

Bletsch 2011. Jump-oriented programming: a new class of code-reuse attack. In AsiaCCS’11.

[8]

Hans-Juergen Boehm and Mark D. Weiser. 1988. Garbage Collection in an Uncooperative Environment. Softw. Pract. Exp. (1988).

[9]

Bucek 2018. SPEC CPU2017: Next-Generation Compute Benchmark. In Companion of the 2018 ACM/SPEC International Conference on Performance Engineering, ICPE 2018, Berlin, Germany, April 09-13, 2018.

Digital Library

[10]

Burow 2018. CUP: Comprehensive User-Space Protection for C/C++. In AsiaCCS’18.

[11]

Burow 2019. SoK: Shining Light on Shadow Stacks. In S&P’19.

[12]

Carter 1994. Hardware Support for Fast Capability-based Addressing. In ASPLOS’94.

[13]

Castro 2009. Fast byte-granularity software fault isolation. In SOSP’09.

[14]

Intel Corporation. 2022. Intel Architecture Instruction Set Extensions and Future Features. https://www.intel.com/content/www/us/en/developer/tools/isa-extensions/overview.html. Accessed 2022-06-01.

[15]

Cowan 2003. PointGuard™: Protecting Pointers from Buffer Overflow Vulnerabilities. In USENIX’03.

[16]

Devietti 2008. Hardbound: architectural support for spatial safety of the C programming language. In ASPLOS’08.

[17]

Duck 2017. Stack Bounds Protection with Low Fat Pointers. In NDSS’17.

[18]

Durumeric 2014. The Matter of Heartbleed. In IMC’14.

[19]

Robert S. Fabry. 1974. Capability-Based Addressing. Commun. ACM (1974).

[20]

Farkhani 2021. PTAuth: Temporal Memory Safety via Robust Points-to Authentication. In USENIX’21.

[21]

Google. 2021. An update on Memory Safety in Chrome. https://security.googleblog.com/2021/09/an-update-on-memory-safety-in-chrome.html. Accessed: 2022-05-14.

[22]

Richard H. Gumpertz. 1983. Combining Tags With Error Codes. In ISCA’83.

[23]

Hohentanner 2022. PACSafe: Leveraging ARM Pointer Authentication for Memory Safety in C/C++. CoRR (2022).

[24]

Hu 2016. Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks. In S&P’16.

[25]

Jim 2002. Cyclone: A Safe Dialect of C. In Proceedings of the General Track: 2002 USENIX Annual Technical Conference, June 10-15, 2002, Monterey, California, USA.

[26]

Joannou 2017. Efficient Tagged Memory. In ICCD’17.

[27]

Kim 2020. Hardware-based Always-On Heap Memory Safety. In MICRO’20.

[28]

Kuznetsov 2014. Code-Pointer Integrity. In OSDI’14.

[29]

Chris Lattner and Vikram S. Adve. 2004. LLVM: A Compilation Framework for Lifelong Program Analysis & Transformation. In CGO’04.

[30]

LeMay 2021. Cryptographic Capability Computing. In MICRO’21.

[31]

Li 2022. PACMem: Enforcing Spatial and Temporal Memory Safety via ARM Pointer Authentication. In CCS’22.

[32]

Liljestrand 2019. PAC it up: Towards Pointer Integrity using ARM Pointer Authentication. In USENIX’19.

[33]

Liljestrand 2022. Color My World: Deterministic Tagging for Memory Safety. CoRR (2022).

[34]

ARM Limited. 2019. Arm Architecture Reference Manual for Armv8, for Armv8-A architecture profile. https://developer.arm.com/documentation/ddi0487/ea. Accessed 2022-06-01.

[35]

Mashtizadeh 2015. CCFI: Cryptographically Enforced Control Flow Integrity. In CCS’15.

[36]

Uwe F. Mayer. 1996. Linux/Unix nbench. https://www.math.utah.edu/ mayer/linux/bmark.html. Accessed 2022-05-23.

[37]

McKee 2022. Preventing Kernel Hacks with HAKCs. In NDSS’22.

[38]

Microsoft. 2019. Trends, challenges, and strategic shifts in the software vulnerability mitigation landscape. BlueHat IL 2019.

[39]

Nagarakatte 2009. SoftBound: highly compatible and complete spatial memory safety for c. In PLDI’09.

[40]

Nagarakatte 2010. CETS: compiler enforced temporal safety for C. In ISMM’10.

[41]

Nagarakatte 2012. Watchdog: Hardware for safe and secure manual memory management and full memory safety. In ISCA’12.

[42]

Nasahl 2021. CrypTag: Thwarting Physical and Logical Memory Vulnerabilities using Cryptographically Colored Memory. In ASIACCS’21.

[43]

Necula 2002. CCured: type-safe retrofitting of legacy code. In POPL’02.

[44]

Oleksenko 2018. Intel MPX Explained: A Cross-layer Analysis of the Intel MPX System Stack. In SIGMETRICS’18.

[45]

Saileshwar 2022. HeapCheck: Low-cost Hardware Support for Memory Safety. ACM Trans. Archit. Code Optim. (2022).

[46]

Schrammel 2020. Donky: Domain Keys - Efficient In-Process Isolation for RISC-V and x86. In USENIX’20.

[47]

Serebryany 2018. Memory Tagging and how it improves C/C++ memory safety. CoRR (2018).

[48]

Kostya Serebryany. 2019. ARM Memory Tagging Extension and How It Improves C/C++ Memory Safety. login Usenix Mag. (2019).

[49]

Hovav Shacham. 2007. The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In CCS’07.

[50]

Rasool Sharifi and Ashish Venkat. 2020. CHEx86: Context-Sensitive Enforcement of Memory Safety via Microcode-Enabled Capabilities. In ISCA’20.

[51]

Song 2016. HDFI: Hardware-Assisted Data-Flow Isolation. In S&P’16.

[52]

Wei Song, Alex Bradbury, and Robert Mullins. 2015. Towards general purpose tagged memory. In Proceedings of the RISC-V Workshop, Vol. 2015. Citeseer.

[53]

Steinegger 2021. SERVAS! Secure Enclaves via RISC-V Authenticryption Shield. In ESORICS’21.

[54]

Suh 2004. Secure program execution via dynamic information flow tracking. In ASPLOS’04.

[55]

Szekeres 2013. SoK: Eternal War in Memory. In S&P’13.

[56]

Qualcomm Technologies. 2017. Pointer Authentication on ARMv8.3. https://www.qualcomm.com/content/dam/qcomm-martech/dm-assets/documents/pointer-auth-v7.pdf. Accessed: 2022-05-14.

[57]

Watson 2015. CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization. In S&P’15.

[58]

Woodruff 2014. The CHERI capability model: Revisiting RISC in an age of risk. In ISCA’14.

[59]

Xu 2021. In-fat pointer: hardware-assisted tagged-pointer spatial memory safety defense with subobject granularity protection. In ASPLOS’21.

[60]

Ziad 2021. No-FAT: Architectural Support for Low Overhead Memory Safety Checks. In ISCA’21.

Cited By

Moghadam VSerra GAromolo FButtazzo GPrinetto P(2024)Memory Integrity Techniques for Memory-Unsafe Languages: A SurveyIEEE Access10.1109/ACCESS.2024.338047812(43201-43221)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3380478
Unterguggenberger MSchrammel DLamster LNasahl PMangard SMeng WJensen CCremers CKirda E(2023)Cryptographically Enforced Memory SafetyProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623138(889-903)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623138

Index Terms

Multi-Tag: A Hardware-Software Co-Design for Memory Safety based on Multi-Granular Memory Tagging
1. Computer systems organization
  1. Architectures
2. Security and privacy
  1. Security in hardware
  2. Software and application security

Recommendations

Implicit Memory Tagging: No-Overhead Memory Safety Using Alias-Free Tagged ECC
ISCA '23: Proceedings of the 50th Annual International Symposium on Computer Architecture

Memory safety is a major security concern for unsafe programming languages, including C/C++ and CUDA/OpenACC. Hardware-accelerated memory tagging is an effective mechanism for detecting memory safety violations; however, its adoption is challenged by ...
CrypTag: Thwarting Physical and Logical Memory Vulnerabilities using Cryptographically Colored Memory
ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

Memory vulnerabilities are a major threat to many computing systems. To effectively thwart spatial and temporal memory vulnerabilities, full logical memory safety is required. However, current mitigation techniques for memory safety are either too ...
Practical memory safety with REST
ISCA '18: Proceedings of the 45th Annual International Symposium on Computer Architecture

In this paper, we propose Random Embedded Secret Tokens (REST), a simple hardware primitive to provide content-based checks, and show how it can be used to mitigate common types of spatial and temporal memory errors at very low cost. REST is simply a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

July 2023

1066 pages

ISBN:9798400700989

DOI:10.1145/3579856

Editors:
Joseph Liu
Monash University, Australia
,
Yang Xiang
Swinburne University of Technology, Australia
,
Surya Nepal
Data61, Australia
,
Gene Tsudik
University of California Irvine, USA

Copyright © 2023 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 July 2023

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

FFG AWARE
FFG SEIZE

Conference

ASIA CCS '23

Sponsor:

SIGSAC

ASIA CCS '23: ACM Asia Conference on Computer and Communications Security

July 10 - 14, 2023

VIC, Melbourne, Australia

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
1,130
Total Downloads

Downloads (Last 12 months)1,091
Downloads (Last 6 weeks)127

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Moghadam VSerra GAromolo FButtazzo GPrinetto P(2024)Memory Integrity Techniques for Memory-Unsafe Languages: A SurveyIEEE Access10.1109/ACCESS.2024.338047812(43201-43221)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3380478
Unterguggenberger MSchrammel DLamster LNasahl PMangard SMeng WJensen CCremers CKirda E(2023)Cryptographically Enforced Memory SafetyProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623138(889-903)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623138

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents