xTag: Mitigating Use-After-Free Vulnerabilities via Software-Based Pointer Tagging on Intel x86-64

by   Lukas Bernhard, et al.

Memory safety in complex applications implemented in unsafe programming languages such as C/C++ is still an unresolved problem in practice. Many different types of defenses have been proposed in the past to mitigate this problem. The most promising next step is a tighter integration of the hardware and software level: modern mitigation techniques are either accelerated using hardware extensions or implemented in the hardware by extensions of the ISA. In particular, memory tagging, as proposed by ARM or SPARC, promises to solve many issues for practical memory safety. Unfortunately, Intel x86-64, which represents the most important ISA for both the desktop and server domain, lacks support for hardware-accelerated memory tagging, so memory tagging is not considered practical for this platform. In this paper, we present the design and implementation of an efficient, software-only pointer tagging scheme for Intel x86-64 based on a novel metadata embedding scheme. The basic idea is to alias multiple virtual pages to one physical page so that we can efficiently embed tag bits into a pointer. Furthermore, we introduce several optimizations that significantly reduce the performance impact of this approach to memory tagging. Based on this scheme, we propose a novel use-after-free mitigation scheme, called xTag, that offers better performance and strong security properties compared to state-of-the-art methods. We also show how double-free vulnerabilities can be mitigated. Our approach is highly compatible, allowing pointers to be passed back and forth between instrumented and non-instrumented code without losing metadata, and it is even compatible with inline assembly. We conclude that building exploit mitigation mechanisms on top of our memory tagging scheme is feasible on Intel x86-64, as demonstrated by the effective prevention of use-after-free bugs in the Firefox web browser.


CrypTag: Thwarting Physical and Logical Memory Vulnerabilities using Cryptographically Colored Memory

Memory vulnerabilities are a major threat to many computing systems. To ...

Memory Tagging: A Memory Efficient Design

ARM recently introduced a security feature called Memory Tagging Extensi...

Color My World: Deterministic Tagging for Memory Safety

Hardware-assisted memory protection features are increasingly being depl...

Memory Tagging and how it improves C/C++ memory safety

Memory safety in C and C++ remains largely unresolved. A technique usual...

DangKiller: Eliminating Dangling Pointers Efficiently via Implicit Identifier

Use-After-Free vulnerabilities, allowing the attacker to access unintend...

HeapSafe: Securing Unprotected Heaps in RISC-V

RISC-V is a promising open-source architecture primarily targeted for em...

Fast Fuzzing for Memory Errors

Greybox fuzzing is a proven effective testing method for the detection o...

Please sign up or login with your details

Forgot password? Click here to reset