Talk Title:

Sticky Tags Stop Spatial Memory Errors

Abstract:

Spatial memory errors such as buffer overflows still rank among the top vulnerabilities in C/C++ programs. Despite much research in the area, the performance overhead of (even partial) mitigations is still too high for practical adoption. To reduce the cost, recent solutions are shifting towards hardware-assisted techniques such as Arm’s Memory Tagging Extension (MTE). Unfortunately, state-of-the-art MTE solutions incur high overhead due to frequent memory (re)tagging, especially on the stack. Moreover, they rely on the secrecy of random memory tags and offer probabilistic security guarantees.

In this presentation, I will first show that random tagging offers limited protection as attackers can deduce the memory tags by means using speculative execution. Next, I will present StickyTags, a deterministic MTE solution that efficiently mitigates bounded spatial memory errors. StickyTags significantly outperforms existing solutions with realistic runtime overheads for practical adoption (≤ 4% on SPEC CPU2006), while fully mitigating 7 out of 8 spatial CVEs evaluated by a recent probabilistic MTE solution.

Speaker Bio:

Herbert Bos is full professor at Vrije Universiteit Amsterdam where he co-leads the VUSec Systems Security group. His research interests include OS design, microarchitectural attacks and defenses, fuzzing, exploitation, networking, and dependable systems. He is very proud of his current and former students who are much cleverer than he is and whose research results won five PWNIE Awards as well as changes in all major operating systems, all major browsers and all Intel CPUs. He worries about climate change and loves the Beatles.