Sticky Tags: Efficient and Deterministic Spatial Memory Error Mitigation using Persistent Memory Tags
Spatial memory errors such as buffer overflows still rank among the top vulnerabilities in C/C++ programs. Despite much research in the area, the performance overhead of (even partial) mitigations is still too high for practical adoption. To reduce the cost, recent solutions are shifting towards har...
Uložené v:
| Vydané v: | Proceedings - IEEE Symposium on Security and Privacy s. 4239 - 4257 |
|---|---|
| Hlavní autori: | , , , |
| Médium: | Konferenčný príspevok.. |
| Jazyk: | English |
| Vydavateľské údaje: |
IEEE
19.05.2024
|
| Predmet: | |
| ISSN: | 2375-1207 |
| On-line prístup: | Získať plný text |
| Tagy: |
Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
|
| Abstract | Spatial memory errors such as buffer overflows still rank among the top vulnerabilities in C/C++ programs. Despite much research in the area, the performance overhead of (even partial) mitigations is still too high for practical adoption. To reduce the cost, recent solutions are shifting towards hardware-assisted techniques such as Arm's Memory Tagging Extension (MTE). Unfortunately, state-of-the-art MTE solutions incur high overhead due to frequent memory (re)tagging, especially on the stack. Moreover, they rely on the secrecy of random memory tags and offer probabilistic security guarantees.In this paper, we first provide evidence that random tagging offers limited protection as attackers can deduce the memory tags by means of speculative probing. We then present StickyTags, a deterministic MTE solution that efficiently mitigates bounded spatial memory errors. By organizing the stack and heap layout into per-size-class regions, we can apply persistent memory tags to each region in a predetermined pattern. Hence, the memory tags need only be initialized once, after which they can be reused by objects of the same size class. This eliminates the need for costly memory retagging and allows for a fixed, round-robin assignment of the tags, surrounding every object with large implicit spatial guards. While the size of such guards is bounded by the 4-bit MTE entropy (16 tags), the protection is efficient and deterministic. Indeed, we show StickyTags significantly outperforms existing solutions with realistic runtime overheads for practical adoption (≤ 4% on SPEC CPU2006), while fully mitigating 7 out of 8 spatial CVEs evaluated by a recent probabilistic MTE solution. |
|---|---|
| AbstractList | Spatial memory errors such as buffer overflows still rank among the top vulnerabilities in C/C++ programs. Despite much research in the area, the performance overhead of (even partial) mitigations is still too high for practical adoption. To reduce the cost, recent solutions are shifting towards hardware-assisted techniques such as Arm's Memory Tagging Extension (MTE). Unfortunately, state-of-the-art MTE solutions incur high overhead due to frequent memory (re)tagging, especially on the stack. Moreover, they rely on the secrecy of random memory tags and offer probabilistic security guarantees.In this paper, we first provide evidence that random tagging offers limited protection as attackers can deduce the memory tags by means of speculative probing. We then present StickyTags, a deterministic MTE solution that efficiently mitigates bounded spatial memory errors. By organizing the stack and heap layout into per-size-class regions, we can apply persistent memory tags to each region in a predetermined pattern. Hence, the memory tags need only be initialized once, after which they can be reused by objects of the same size class. This eliminates the need for costly memory retagging and allows for a fixed, round-robin assignment of the tags, surrounding every object with large implicit spatial guards. While the size of such guards is bounded by the 4-bit MTE entropy (16 tags), the protection is efficient and deterministic. Indeed, we show StickyTags significantly outperforms existing solutions with realistic runtime overheads for practical adoption (≤ 4% on SPEC CPU2006), while fully mitigating 7 out of 8 spatial CVEs evaluated by a recent probabilistic MTE solution. |
| Author | Kroes, Taddeus Gorter, Floris Bos, Herbert Giuffrida, Cristiano |
| Author_xml | – sequence: 1 givenname: Floris surname: Gorter fullname: Gorter, Floris email: f.c.gorter@vu.nl organization: Vrije Universiteit,Amsterdam – sequence: 2 givenname: Taddeus surname: Kroes fullname: Kroes, Taddeus email: taddeuskroes@gmail.com organization: Vrije Universiteit,Amsterdam – sequence: 3 givenname: Herbert surname: Bos fullname: Bos, Herbert email: h.j.bos@vu.nl organization: Vrije Universiteit,Amsterdam – sequence: 4 givenname: Cristiano surname: Giuffrida fullname: Giuffrida, Cristiano email: c.giuffrida@vu.nl organization: Vrije Universiteit,Amsterdam |
| BookMark | eNotjl1PwjAYhavRRED-gPGif2D49m23bt4ZnB8JRBLwmnTdu6UKHWnnBf-eEbk6JydPnpwxu_GdJ8YeBMyEgOJpvUoVZnKGgGoGMNQrNi10kcsUpBQSxDUbodRpIhD0HRvH-DNgIAs1YrTunf098o1p4zMvm8ZZR77nxtf8lXoKe-ddHBi-PpjemR1f0r4LR16G0AW-dL1rh73z_C863_IVhTjwZ8UFPJvv2W1jdpGml5yw77dyM_9IFl_vn_OXReIQoU9ySDOgTAlTq8qqqkZVaJNi0SBWkNdoUFqd1lYM_ysrG5ORVLkFm4PVAuSEPf57HRFtD8HtTThuBWQq06DkCbHbWLU |
| CODEN | IEEPAD |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IH CBEJK RIE RIO |
| DOI | 10.1109/SP54263.2024.00263 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan (POP) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library (IEL) IEEE Proceedings Order Plans (POP) 1998-present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Xplore url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISBN | 9798350331301 |
| EISSN | 2375-1207 |
| EndPage | 4257 |
| ExternalDocumentID | 10646704 |
| Genre | orig-research |
| GrantInformation_xml | – fundername: Horizon Europe funderid: 10.13039/100018693 |
| GroupedDBID | 6IE 6IF 6IH 6IL 6IN AAJGR AAWTH ABLEC ACGFS ADZIZ ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK CHZPO IEGSK IJVOP M43 OCL RIE RIL RIO RNS |
| ID | FETCH-LOGICAL-i220t-80560e641ad4bc4bd2497a529f22b08d2a23c75dc1002bc3fa6e348c0c80c7103 |
| IEDL.DBID | RIE |
| ISICitedReferencesCount | 4 |
| ISICitedReferencesURI | http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=001310833904019&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| IngestDate | Wed Jun 04 06:02:01 EDT 2025 |
| IsDoiOpenAccess | false |
| IsOpenAccess | true |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i220t-80560e641ad4bc4bd2497a529f22b08d2a23c75dc1002bc3fa6e348c0c80c7103 |
| OpenAccessLink | https://research.vu.nl/en/publications/76a17ae2-fee0-413f-8177-61fb78113702 |
| PageCount | 19 |
| ParticipantIDs | ieee_primary_10646704 |
| PublicationCentury | 2000 |
| PublicationDate | 2024-May-19 |
| PublicationDateYYYYMMDD | 2024-05-19 |
| PublicationDate_xml | – month: 05 year: 2024 text: 2024-May-19 day: 19 |
| PublicationDecade | 2020 |
| PublicationTitle | Proceedings - IEEE Symposium on Security and Privacy |
| PublicationTitleAbbrev | SP |
| PublicationYear | 2024 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0020394 |
| Score | 2.336716 |
| Snippet | Spatial memory errors such as buffer overflows still rank among the top vulnerabilities in C/C++ programs. Despite much research in the area, the performance... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 4239 |
| SubjectTerms | buffer overflow Layout Memory management memory safety memory tagging extension MTE Prevention and mitigation Privacy Production Runtime Tagging |
| Title | Sticky Tags: Efficient and Deterministic Spatial Memory Error Mitigation using Persistent Memory Tags |
| URI | https://ieeexplore.ieee.org/document/10646704 |
| WOSCitedRecordID | wos001310833904019&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LS8NAEF60ePDkq-KbPXiNbnY32axXbfFgS6EVeiv7SilCImkr9N87k6TViwdvISQT2NlhZrLf9w0h9xAEVmibR7lyNpJQskdWChOZxLMY3tGsEUl6U8NhNp3qUUtWr7kwIYQafBYe8LI-y_elW-OvMojwFOIa1T_3lVINWWvXXTGh5ZYVw_TjeJSgFjl0gBz1sTnqfP6an1Knj_7RPz98TLo_RDw62qWYE7IXilNytJ3EQNvAPCNhDP7_2NCJmS-faK-WhQCL1BSevrSAl1qRmeIIYthydIAI2w3tVVVZ0cGiUdooC4o4-DlFXDz6H0y0D6LlLnnv9ybPr1E7QCFacM5WkH2gngmpjI2X1knroddSJuE659yyzHPDhVOJd6jDap3ITRqEzBxzGXNQeohz0inKIlwQGjuh8hxqyTgNMk-stQFKi0THARo4b5NL0sVlm302Ghmz7Ypd_XH_mhyiZ_AcPtY3pLOq1uGWHLiv1WJZ3dWe_QYeCKXz |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LS8NAEF5EBT3VR8W3e_AaTfaRZL1qS8W2FFqht7KvlCIkkrZC_70zaVq9ePAWQjKB3RlmJvt93xByD0FguDJZkCXWBAJK9sAIrgMtXRjBOypciyR1k34_HY_VoCarV1wY730FPvMPeFmd5bvCLvFXGUR4DHGN6p97UggWrela2_4q5EpseDGhehwOJKqRQw_IUCGbodLnrwkqVQJpN_756SPS_KHi0cE2yRyTHZ-fkMZmFgOtQ_OU-CF4wMeKjvR0_kRblTAEWKQ6d_SlhrxUmswUhxCD09EeYmxXtFWWRUl7s7XWRpFTRMJPKSLj0QPARP0gWm6S93Zr9NwJ6hEKwYyxcAH5ByoaH4tIO2GsMA66rURLpjLGTJg6phm3iXQWlViN5ZmOPRepDW0aWig--BnZzYvcnxMaWZ5kGVSTUexFJo0xHooLqSIPLZwz8oI0cdkmn2uVjMlmxS7_uH9HDjqjXnfSfe2_XZFD3CU8lY_UNdldlEt_Q_bt12I2L2-rXf4G7ISpOg |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=Proceedings+-+IEEE+Symposium+on+Security+and+Privacy&rft.atitle=Sticky+Tags%3A+Efficient+and+Deterministic+Spatial+Memory+Error+Mitigation+using+Persistent+Memory+Tags&rft.au=Gorter%2C+Floris&rft.au=Kroes%2C+Taddeus&rft.au=Bos%2C+Herbert&rft.au=Giuffrida%2C+Cristiano&rft.date=2024-05-19&rft.pub=IEEE&rft.eissn=2375-1207&rft.spage=4239&rft.epage=4257&rft_id=info:doi/10.1109%2FSP54263.2024.00263&rft.externalDocID=10646704 |