FRESH

Hacker News

Home

Windows ARM64 Internals: Deconstructing Pointer Authentication

73 points by todsacerdoti

by malkia

1 subcomments

In case someone is curious about how the 48-bit virtual space is split here is good info - https://wiki.osdev.org/Page_Tables#Long_mode_(64-bit)_page_m...

by westurner

1 subcomments

"The need for memory safety standards" (2025-02) https://news.ycombinator.com/item?id=43189934 :
> Technologies like ARM's Memory Tagging Extension (MTE) and the Capability Hardware Enhanced RISC Instructions (CHERI) architecture offer a complementary defense, particularly for existing code.
From OP: https://www.preludesecurity.com/blog/windows-arm64-internals... :
> In addition, current-generation ARM64 Microsoft devices, like the Surface Pro, are not shipped with chips that can support the Memory Tagging Extension (MTE) feature. Although not implemented today on Windows systems, the implementation of both PAC and MTE in the future would serve to greatly increase the cost of memory corruption exploits.
"The Arm64 memory tagging extension in Linux" (2020) on LWN: https://news.ycombinator.com/item?id=24824378#24829160
ASan: AddressSanitizer
MSan: MemSan: MemorySanitizer
Google/sanitizers is archived because it was merged into LLVM sanitizers. https://github.com/google/sanitizers/ :
> The Sanitizers project, which includes AddressSanitizer, MemorySanitizer, ThreadSanitizer, LeakSanitizer, and more, is now archived.
LLVM Clang docs > AddressSanitizer: https://clang.llvm.org/docs/AddressSanitizer.html
There's a google/sanitizers wiki page from 2019 about Stack Instrumentation with ARM MTE Memory Tagging Extensions: https://github.com/google/sanitizers/wiki/Stack-instrumentat...
/? MemTagSanitizer https://www.google.com/search?q=MemTagSanitizer
"Color My World: Deterministic Tagging for Memory Safety" (2022) https://arxiv.org/abs/2204.03781 :
> 7.3 Pointer-safe tagging: Recall that safe allocations could still allow inter-object cor- ruption unless it is also pointer-safe (Sections 5.3 and 6.3). To distinguish such safe, but pointer-unsafe allocations, we tag them using the 0b10xx. Consequently, we can at run-time distinguish pointers loaded from pointer-safe allocations, and apply tag forgery prevention to all other loaded pointers.
LLVM Clang docs > MemSanitizer: https://llvm.org/docs/MemTagSanitizer.html :
> Introduction: Note: this page describes a tool under development. Part of this functionality is planned but not implemented. Hardware capable of running MemTagSanitizer does not exist as of Oct 2019.
> MemTagSanitizer is a fast memory error detector and a code hardening tool based on the Armv8.5-A Memory Tagging Extension. It detects a similar class of errors as AddressSanitizer or HardwareAssistedAddressSanitizer, but with much lower overhead.
> MemTagSanitizer overhead is expected to be in low single digits, both CPU and memory. There are plans for a debug mode with slightly higher memory overhead and better diagnostics. The primary use case of MemTagSanitizer is code hardening in production binaries, where it is expected to be a strong mitigation for both stack and heap-based memory bugs.
```
   -fsanitize=memtag
```
Code sanitizer: https://en.wikipedia.org/wiki/Code_sanitizer
```
   -fsanitize
```