From: Szabolcs Nagy <email@example.com>
To: Rich Felker <firstname.lastname@example.org>
Cc: Stefan Jumarea <email@example.com>,
firstname.lastname@example.org, Razvan Deaconescu <email@example.com>,
Michalis Pappas <firstname.lastname@example.org>
Subject: Re: [musl] Project Proposal MTE Support
Date: Thu, 20 Jul 2023 15:03:10 +0200 [thread overview]
Message-ID: <20230720130310.GA3448312@port70.net> (raw)
* Rich Felker <email@example.com> [2023-07-19 21:51:22 -0400]:
> On Wed, Jul 19, 2023 at 10:37:06AM +0300, Stefan Jumarea wrote:
> > Hello all,
> > With the present, I would like to discuss the prospect of adding MTE support in
> > the Musl memory allocator.
> > Currently, (starting with release 1.2.1, August 2020, commit 503bd3976623), Musl
> > introduces a new "malloc" implementation ("mallocng"), which solves a lot of the
> > intended malloc-hardening issues. However, further hardening can be implemented,
> > including MTE (Memory Tagging Extension) support.
> mallocng was designed with the idea of possible future MTE use in
> mind. At the time, I seem to recall there were obstacles to being able
> to use MTE, so it wasn't pursued. But it's definitely an interesting
> and powerful direction, one of the few ISA-level hardening features
> that's actually a hard access control boundary rather than loads of
> complexity to make ROP slightly harder.
note: it is not quite "hard access control" because *(p+off)
can still access anything when off is attacker controlled:
the top bits of p are not protected so the tag can change and
there are only 16 tags, so it can be guessed. (in principle
the compiler could fix this by always masking "off" in ptr
arithmetic, but that's not implemented and has costs.)
i tried mallocng with mte at some point (and worked on the
glibc mte malloc too).
one issue was the 4b in-band data (at end of prev slot), it
should not be in the same mte granule (16b) as user data
otherwise it can be corrupted and more importantly there is
an access issue as the tag of that granule may change async.
(glibc had a similar issue which meant that mte support
required more wasteful layout for small allocations even if
tagging got disabled: we dont want enable/disable to change
the layout so mte can be used to debug heap issues. upstream
glibc does not support mte by default for this reason: it's
a configure time option.)
another issue was that MADV_FREE clears the tags, so heap
memory owned by the malloc implementation (meta data) must
use 0 tag instead of a different dedicated tag.
note: tagging must be posible to turn off for a process
because some sw assumes page size granule protection (does
oob read access) or uses pointer top bits in some way.
> > We are using Musl as the primary libc within Unikraft, a Unikernel Developing Kit,
> > and we support MTE on the low-level memory allocator. This however lacks a lot in
> > terms of granularity, as the internal allocator has a page-size minimum allocation
> > level, and tagging one page at the time still allows for memory safety violations
> > in the area of one page.
> > Our goal is to have MTE protection implemented in a fine-grained allocator
> > (i.e. Musl "malloc" implementation), that will successfully prevent memory safety
> > violations.
> > Extended measurements will need to be done in order to provide a clear overview
> > over the performance impact that using MTE will have, but the architecture
> > provides ways to optimize the implementation for functions like "calloc" or
> > large "malloc" blocks (instructions like "store allocation tag with zeroing",
> > "sdgz", "store allocation tag for blocks", "sdgm"), along with an asynchronous
> > way to check for a Tag Check Fault (e.g. on IRQs, on task / thread switches, etc.).
async tag check is not very useful for debugging nor for
security (essentially the failure is delayed to the next
syscall and the damage can be done by that time). there
is asymmetric mode (sync read check, async write check)
which may be useful but requires newer arch.
> > A bit about myself, my name is Ștefan Jumărea, I am an undergraduate student in
> > the final year at University Politehnica of Bucharest, and I’ve been part of the
> > Unikraft OSS project for almost two years.
> > I would like to make this my diploma project (due June 2024).
> > Is it something of interest in the Musl community?
> > Is it planned work, is there anyone else working on it? If not, I would like to
> > start working on the project in the next weeks.
> > Do you have any comments, suggestions, or other things I should consider?
> There is no immediate plan. Probably the first steps need to be
> figuring out some abstractions needed, particularly a way for the
> implementation to take tagged pointers from the caller and do the
> arithmetic to access partly out-of-band data (like the group header)
> with a different/zero tag. These should be able to collapse out to
> no-ops on archs without MTE, as well as be defined in a manner to work
> on other archs with comparable features (like the classic sparc prior
> art for this, if we ever get the sparc port added, or any future archs
> that add such a thing).
note that sparc adi is less practical as its granule is 64b
(cache line size) which blows up small allocations.
> I know there were past discussions on this and I may have some
> separate notes of my own from when mallocng was created, so I'll see
> what I can dig up that might be of use.
next prev parent reply other threads:[~2023-07-20 13:03 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-19 7:37 Stefan Jumarea
2023-07-20 1:51 ` Rich Felker
2023-07-20 5:47 ` Stefan Jumarea
2023-07-20 13:03 ` Szabolcs Nagy [this message]
2023-07-20 19:02 ` Rich Felker
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).