Mitigating Temporal Memory Errors using Memory Tagging Extensions
Mitigating Temporal Memory Errors using Memory Tagging Extensions
Supervisor(s): | Marius Momeu |
Status: | finished |
Topic: | Others |
Author: | Patrick Barclay |
Submission: | 2024-09-16 |
Type of Thesis: | Bachelorthesis |
DescriptionTemporal memory errors, such as Use-After-Free (UAF), are a major vulnerability in memory-unsafe languages. This thesis focuses on mitigating UAF vulnerabilities by building upon the existing heap-hardening technique, Safeslab. Safeslab relies on a hardware extension called MPK on Intel CPUs to build an efficient address-aliasing approach. However, due to MPK’s functionality, Safeslab incurs high memory overhead, as well as performance overhead in worst-case scenarios, and adds complexity via mechanisms that involve expensive page table walks for manually managing access to some pages. Furthermore, Safeslab incurs a large number of false positives when scanning for dangling pointers. We remove this complexity by modifying Safeslab’s design to manage the access to aliases with finer granularity, allowing us to reduce memory overhead significantly. We achieve this by using the ARM Memory Tagging Extension (MTE) hardware feature to tag a slab with a different tag for each allocation. Furthermore, the redesign provides better cache behaviour, which is the main factor negatively impacting Safeslab’s performance. We also sign pointers via the ARM Pointer Authentication (PAC) hardware extension to reduce the number of false positive dangling pointers by 100× in apache. These design improvements achieve a geomean performance overhead of up to 3% and a worst-case overhead of 13%. |