Abstract
Commodity processor architectures are releasing various instruction set extensions to support security solutions for the efficient mitigation of memory vulnerabilities. Among them, tagged memory extension (TME), such as ARM MTE and SPARC ADI, can prevent unauthorized memory access by utilizing tagged memory. However, our analysis found that TME has performance and security issues in practical use. To alleviate these, in this paper, we propose CoMeT, a new instruction set extension for tagged memory. The key idea behind CoMeT is not only to check whether the tag values in the address tag and memory tag are matched, but also to check the access permissions for each tag value. We implemented the prototype of CoMeT on the RISC-V platform. Our evaluation results confirm that CoMeT can be utilized to efficiently implement well-known security solutions, i.e., shadow stack and in-process isolation, without compromising security.
Highlights
Tagged memory architecture (TMA) is a computer architecture where every memory block has a special memory tag representing the state of the corresponding memory block
The processor performs the tag comparison operation while processing the memory instructions, so tagged memory extension (TME) does not require additional instructions to check tag values. Despite this elaborate design, we found that TME has some limitations when it comes to applying security solutions
(1) of Figure 2 shows that store operation to addr0 blocked by tag permission check of CoMeT though address tag value of the store instruction is same with a memory tag value of the memory area pointed by addr0
Summary
Tagged memory architecture (TMA) is a computer architecture where every memory block has a special memory tag representing the state of the corresponding memory block. Developers can use TMA to detect use-after-free vulnerabilities Suppose they enforce that the allocated memory objects and freed memory objects have different tag values. It is possible to identify the memory access to the freed memory object by checking the tag value of the memory to be accessed Due to this versatility in TMA, commodity processor architectures announced instruction set extensions for TMA (i.e., memory tagging extension (MTE) [5] in ARM, application data integrity (ADI) [6] in SPARC). ARM MTE implements a lock and key mechanism [13] to provide a fine-grained access control mechanism for physical memory. In ARM MTE, the key in the pointer variable is called address tag, and the lock in the physical memory is called memory tag
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
