WingNews logo WingNews
top | item 45650267

(no title)

tdullien | 4 months ago

With all the negative comments here: This is existing technology on ARM64 (MTE) and on modern iPhones (https://security.apple.com/blog/memory-integrity-enforcement...).

For a good intuition why this (coupled with instrumenting all allocators accordingly) is a game-changer for exploitation, check https://docs.google.com/presentation/d/1V_4ZO9fFOO1PZQTNODu2...

In general, having this come to x86 is long-overdue and very welcome.

discuss

order

cogman10|4 months ago

But wait, how do you know that's what this is?

The reason I'm negative is the entire article has zero detail on WTF this instruction set is or does. The best you can do is guess from the name of the instruction set.

Compare the linked iPhone article to this blog and you'll quickly see the difference. There's very real discussion in the MTE article of how the instructions work and what they do. This article just says "Memory safety is hard and we'll fix it with these new instructions that fix memory safety!"

tdullien|4 months ago

So there's a long intellectual history behind these technologies, and Intel had multiple chances of taking the leadership on this around 2018 - they failed to do so, some of the talent went to Apple, and now Intel has to play catch-up.

I'm pretty certain it'll be the x86 variant of either MTE or MIE.

linksnapzz|4 months ago

This is how, amongst other things, IBM POWER cpus do memory tagging for capability-based security on iSeries/OS400.

IIRC, later SPARC64 chips also had a version of this.

helloooooooo|4 months ago

The x64 Windows Kernel is starting to get support for this. There are a few references to memory tagging appearing in the public symbol files.

eigenform|4 months ago

Probably because it's very likely that both AMD and Intel have had engineers working on this sort of thing for a long time, and they're now deciding to collectively hash out whatever the solution is going to be for both of them.

DannyBee|4 months ago

>But wait, how do you know that's what this is?

A lot of these extensions come from Intel/AMD/etc clients first, and because of how long it takes a thing to make it into mainstream chips, it was probably conceived of and worked on at least 5 years ago, often longer.

This particular thing has a long history and depending on where they worked, they know about that history.

However, they are often covered by extra layers of NDA's on top of whatever normal corporate employee NDA you have, so most people won't say a ton about it.

fweimer|4 months ago

I don't know if it is intended this way, but there's one useful outcome even with the limited amount of detail disclosed:

There are industry partners who work closely with AMD and Intel (with on-site partner engineers etc.), but who are not represented in the x86 ecosystem advisory group, or maybe they have representation, but not at the right level. If these industry partners notice the blog post and they think they have technology in impacted areas, they can approach their contacts, asking how they can get involved.

pizlonator|4 months ago

Wow that weird state machine doc is great! Thanks for sharing.

I’m lukewarm on this.

- It is long overdue and welcome.

- It won’t stop a sufficiently determined attacker because its probabilistic and too easy to only apply partially

Is this good? Yes. Does it solve memory safety? No. But does it change the economics? Yes.

mshroyer|4 months ago

Yeah it's the most succinct explanation I've seen of weird machines and memory tagging. Definitely bookmarking this one. I wonder if video of the talk that presumably presented this is available.

transpute|4 months ago

Is there a comparison of memory tagging designs for different architectures (POWER, SPARC, CHERI/Morello, Arm MTE/eMTE, Apple MIE, x86, RISC-V)? e.g. enforcement role of compiler vs. hardware, opt-in vs mandatory, hardware isolation of memory tags, performance impact, level of OS integration?