Pointer Tagging for Memory Safety

1 Summary Memory safety attacks continue to be prevalent on computer systems in use today, as large amounts of unsafe C/C++ code continues to provide attackers with a large supply of buffer overrun, use after free and type confusion bugs. This paper proposes a fundamental instruction set architecture change to combat memory safety problems. The ISA change is mostly transparent to application code and typically only requires a recompilation of the application to gain the security benefits. The change involves having the CPU hold two extra tag bits to the side of each piece of 64-bit data to denote whether the data holds a code/data pointer or not. By doing this, we can prevent attackers from using ‘data’ to corrupt ‘pointers’ and cause undesired damage. We believe the proposed architecture change enables stronger control flow protection than shadow stack (Intel CET) plus Control Flow Guard (CFG) with less performance overhead. Thus, this ISA change not only enhances security, but does so while improving performance.

[1]  Christian W. Otterstad A brief evaluation of Intel®MPX , 2015, 2015 Annual IEEE Systems Conference (SysCon) Proceedings.

[2]  Stelios Sidiroglou,et al.  Missing the Point(er): On the Effectiveness of Code Pointer Integrity , 2015, 2015 IEEE Symposium on Security and Privacy.

[3]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[4]  Thomas F. Knight,et al.  A capability representation with embedded address and nearly-exact object bounds , 2000 .

[5]  Peter G. Neumann,et al.  The CHERI capability model: Revisiting RISC in an age of risk , 2014, 2014 ACM/IEEE 41st International Symposium on Computer Architecture (ISCA).

[6]  Peter G. Neumann,et al.  Efficient Tagged Memory , 2017, 2017 IEEE International Conference on Computer Design (ICCD).

[7]  Richard J. Enbody,et al.  Secure Bit: Transparent, Hardware Buffer-Overflow Protection , 2006, IEEE Transactions on Dependable and Secure Computing.

[8]  William J. Dally,et al.  Hardware support for fast capability-based addressing , 1994, ASPLOS VI.

[9]  Brian E. Clark,et al.  Application System/400 Performance Characteristics , 1989, IBM Syst. J..

[10]  Peter G. Neumann,et al.  CheriABI: Enforcing Valid Pointer Provenance and Minimizing Pointer Privilege in the POSIX C Run-time Environment , 2019, ASPLOS.

[11]  George Candea,et al.  Code-pointer integrity , 2014, OSDI.

[12]  Jonathan M. Smith,et al.  Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security , 2013, CCS.

[13]  Zhenkai Liang,et al.  Data-Oriented Programming: On the Expressiveness of Non-control Data Attacks , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[14]  Alastair J. W. Mayer The architecture of the Burroughs B5000: 20 years later and still ahead of the times? , 1982, CARN.