ARM Memory Tagging: how it improves C/C++ memory safety (2018) [pdf]

https://llvm.org/devmtg/2018-10/slides/Serebryany-Stepanov-Tsyrklevich-Memory-Tagging-Slides-LLVM-2018.pdf

60•fanf2•10h ago

Comments

javierhonduco•10h ago

I am incredibly happy that Apple has added MTE support to the latest iPhones and perhaps the M5 chips as well (?). If that’s the case I don’t think any other personal computers have anything close to Apple machines in terms of memory safety and related topics (Secure Enclave etc).

Hope other vendors will ship MTE in their laptop and desktop chips soon enough. While I’m very positive about x86_64 adding support for this (ChkTag), it’ll definitely take a while…

In my opinion a worthwhile enough reason to upgrade but feels like a waste given my current devices work great.

abalone•9h ago

Not only does M5 have MTE, it has an "enhanced" version of it.

"We conducted a deep evaluation and research process to determine whether MTE, as designed, would meet our goals for hardware-assisted memory safety. Our analysis found that, when employed as a real-time defensive measure, the original Arm MTE release exhibited weaknesses that were unacceptable to us, and we worked with Arm to address these shortcomings in the new Enhanced Memory Tagging Extension (EMTE) specification, released in 2022."[1]

The enhancements add:[2]

* Canonical tag checking

* Reporting of all non-address bits on a fault

* Store-only Tag checking

* Memory tagging with Address tagging disabled

[1] https://security.apple.com/blog/memory-integrity-enforcement...

[2] https://developer.arm.com/documentation/109697/0100/Feature-...

commandersaki•8h ago

Do you know if macos has the changes needed to make use of MIE with M5? I assume that it has with iPadOS.

summa_tech•8h ago

It's MTE4. The "enhancements" mostly make it easier for Apple developers to hack XNU into continuing to operate with MTE.

astrange•5h ago

It's more like MTE was originally intended as a debugging tool (like ASan), and MTE4 makes it work as a security hardening measure.

contact9879•5h ago

do you have a citation for M5 having MTE?

astrange•5h ago

It does.

musicale•9h ago

Compiler/runtime support via clang and llvm should help I hope.

I'd like to get to the point where web browsers (for example) always run with memory-safe compilation and runtime features on every platform. OS kernels would be nice as well.

It will be nice to see more OSes ship with memory safety on by default for everything. Maybe OpenBSD is next?

throwawaymaths•7h ago

sel4 ships with memory safety on by default.

accelbred•2h ago

Pixels with GrapheneOS also use MTE for security hardening

a-dub•9h ago

wouldn't it be like a crime against the crown to not have a cheri like thing in arm?

commandersaki•8h ago

I always see cheri brought up and admittedly I know very little about it, except that the ergonomics appear poor requiring twice the storage for each pointer and ground up rearchitecting of the OS, making it quite unappealing from an engineering standpoint.

wahern•4h ago

FreeBSD, kernel and base, was ported to CHERI, along with PostgreSQL.

> We have adapted a complete C, C++, and assembly-language software stack, including the opensource FreeBSD OS (nearly 800 UNIX programs and more than 200 libraries including OpenSSH, OpenSSL, and bsnmpd) and PostgreSQL database, to employ ubiquitous capability-based pointer and virtual-address protection.

Most programs didn't require any changes at all. Even most pointer-integer-pointer conversions can be automatically handled by the toolchain and runtime. See https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201904...

commandersaki•1h ago

Sounds good for a clean slate but you couldn't seamlessly transition to it, which is why I said it was unappealing.

checker659•2h ago

> making it quite unappealing from an engineering standpoint

The other option being rewriting everything under the sun from scratch.

commandersaki•2h ago

Um, there's also Memory Tagging which is the topic of this post.

Apple's implemented it as part of the umbrella MIE and eliminates a class of bugs, at least on the surface of their own software, and allows for incremental adoption and doesn't break compatibility with older binaries.

astrange•59m ago

MTE (and PAC before it) store some metadata in previously unused pointer bits, so there are potential issues if you were already using those for something else.

Oh and if your program has memory bugs then you have to fix them of course.

qwertyuiop_•9h ago

Intel / AMD bringing this to x86 soon.

https://community.intel.com/t5/Blogs/Tech-Innovation/open-in...

tempaccount420•8h ago

Sooo, less reasons (more excuses) for people to move from C++ to Rust?

1718627440•8h ago

Honestly it feels at the right abstraction layer too. With Rust you rely on correctness in translation, it is much better to have defense in depth than in breadth.

kibwen•5h ago

Rust is already part of defense-in-depth. Despite its memory safety, Rust still turns on ASLR, guard pages, stack probes, etc.

dagmx•6h ago

If you don’t mind moving the whole issue to runtime, then sure. The value of rust is that you catch these issues at compile time so you’re not releasing these sorts of bugs in the first place and aren’t reliant on the capabilities of the users machine to catch it for you.

rustdebacletime•1h ago

There are some caveats to that. If types like RefCell, Rc or Arc in Rust are used, there is runtime overhead. And if unsafe is used, as is often necessary for efficiency, there are no longer memory safety guarantees [0]. And the memory safety guarantees also do not hold when #![no_std] is used.

That unsafe is harder than C and C++, as many in the Rust community agrees with, only worsens the issue. Topics like pinning are also considered difficult to teach [1].

[0]: https://materialize.com/blog/rust-concurrency-bug-unbounded-...

[1]: https://lwn.net/Articles/1030517/ "Pinning continues to be the most difficult aspect of Rust to understand"

e-dant•4h ago

It disappoints me to see hardware compensate for the failures of software. We should have done better.

Panzerschrek•1h ago

I agree. The underlying hardware should be as simple as needed and thus be cheap and consume little power. Fixing bad software practices (like using an unsafe language) via hardware hacks is a terrible mistake.

amazingman•25m ago

On the contrary, fixing pervasive and increasingly costly ecosystem issues in hardware is exactly the kind of innovation we need.

amazingman•30m ago

How could we have done better without first knowing better?

Pembatalan Transaksi (Kredivo)

Membatalkan Pnjaman Kredivo

Humans have an internal lunar clock – but light pollution is disrupting it

Passively capture, archive, and hoard your web browsing history

Show HN: I created an app that organise your thoughts

YouTube AI Filter Is Making My Videos Dangerous to Watch[video]

Shield AI unveils AI piloted VTOL stealth drone

Principles for Global Online Meetings

Show HN: I built an SDK to select the best model for your task

66 million-year-old dinosaur ‘mummy’ skin was actually a perfect clay mask

Forgejo v13.0.2 contains critical security fixes

Washington lawyer on furlough lives out dream of running a hot dog cart

GenAI Image Editing Showdown

Show HN: Project Journal – Give AI coding assistants persistent memory

Sandbox Your Program Using FreeBSD's Capsicum [video]

TIL: Figma provides a helper function for gradient transforms

Scientists are racing to grow human teeth in the lab

We want to move Ruby forward

The Magic of Precision Engineering

Gluing and framing a 9000-piece jigsaw

AI Pullback Has Officially Started

Lampedusa's 1958 Novel The Leopard skewered the super-rich

Practical Defenses Against Technofascism

The Magna Anima Genius Project

Raster Master v5.4 Sprite/Tile/Map Editor 88 Stars on GitHub

Salesforce Enterprise Deep Research

Operating Systems Written in Free Pascal

Sustained western growth and Artificial Intelligence

Tell HN: Don't Vibe Your Design

Hey LLM, write production-ready code