Pointer Tagging for Memory Safety

MSR-TR-2019-17 |

Published by Microsoft

Memory safety attacks continue to be prevalent on computer systems in use today, as large amounts of unsafe C/C++ code continues to provide attackers with a large supply of buffer overrun, use after free and type confusion bugs. This paper proposes a fundamental instruction set architecture change to combat memory safety problems. The ISA change is mostly transparent to application code and typically only requires a recompilation of the application to gain the security benefits. The change involves having the CPU hold two extra tag bits to the side of each piece of 64-bit data to denote whether the data holds a code/data pointer or not. By doing this, we can prevent attackers from using ‘data’ to corrupt ‘pointers’ and cause undesired damage. We believe the proposed architecture change enables stronger control flow protection than shadow stack (Intel CET) plus Control Flow Guard (CFG) with less performance overhead. Thus, this ISA change not only enhances security, but does so while improving performance.