Description
Programming errors in memory unsafe programming languages such as C and C++ pose a significant threat to computer systems. Return-oriented
programming and similar exploitation techniques can enable attackers to gain substantial control over targeted devices.
Memory safety ensures protection against software bugs when dealing with memory accesses. Existing solutions provide memory safety for C/C++ in
software, imposing major performance overheads of up to 100%. The Memory Tagging Extension (MTE) for ARM provides memory safety by making use of
dedicated hardware, significantly reducing performance and memory overhead. To further investigate the benefits of memory tagging, we introduce a
hardware extension to enable efficient memory safety for the RISC-V architecture. The main memory of the system is divided into equally sized
blocks of memory, called granules, each of which is associated with a random tag. A tag is only a few bits long, allowing it to be stored in unused
space of 64-bit pointers. On memory access, the tag in the pointer has to match the memory location’s tag, if not, the memory operation is aborted.
To be able to compare different tagging schemes, our design imposes as few restrictions on the tag size, the granule size or the check logic as possible.
As proof-of-concept, we implement our approach in the gem51 CPU simulator, by extending the RISC-V instruction set architecture (ISA). Additionally,
we conduct evaluations by executing our own programs with inline assembly to verify its functionality and feasibility. 88% of the memory violations in
selected tests from the Juliet Test Suite were detected. By executing the nbench-byte benchmark, a performance overhead of around 16% has been measured.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching