ZOMETAG: Zone-based Memory Tagging for Fast, Deterministic Detection of Spatial Memory Violations on ARM

Abstract

Against spatial memory violations threatening a vast amount of legacy software, various safety solutions have been suggested for decades. However, their practical uses have been impeded by diverse reasons, such as significant overheads and mandatory modifications of existing architectures. Accordingly, there has been a clear need for a practical safety solution that is fast enough and yet runs on commodity systems for its wide applicability in the field. As an effort to meet this need, a major processor vendor, ARM, recently announced a hardware extension, called <italic>MemoryTagging Extension</italic> (MTE), that helps engineers to implement efficient safety solutions. However, due to lack of hardware tags to isolate all data objects, MTE either resorts to a probabilistic memory safety guarantee, which is susceptible to a security loophole, or suffers from severe performance degradation to guarantee deterministic security. The aim of our work is to develop a MTE-based deterministic spatial safety solution, called ZOMETAG, with high efficiency by capitalizing on salient architectural features. Our key idea for fast, deterministic safety is to somehow assign permanently all objects unique tags throughout program execution. For this, ZOMETAG first divides the data memory into a number of small regions, called <italic>zones</italic>, and distributes data objects over the zones subject to certain constraints (to be discussed later). Then, we extend the notion of a tag in a way that each object stored with MTE tag <italic>t</italic> in zone <italic>z</italic> is uniquely assigned the zone-tag pair <<italic>z,t</italic>> as a new tag. To work with this new tag assignment, we devise a novel mechanism, called <italic>two-layer</italic> isolation, that is basically a combination of MTE-based tagging (for one-layer of isolation) with zone-based tagging (for the other) both of which collaborate together to ensure spatial safety for all objects by preventing a pointer currently assigned one zone-tag pair from erroneously referring to objects assigned different pairs. Our experimental results are quite encouraging. ZOMETAG enforces deterministic spatial safety with overheads of 35% in SPEC CPU2006 and merely of 6% in real world applications like nginx.