309 lines · plain
1=======================================================2Hardware-assisted AddressSanitizer Design Documentation3=======================================================4 5This page is a design document for6**hardware-assisted AddressSanitizer** (or **HWASAN**)7a tool similar to :doc:`AddressSanitizer`,8but based on partial hardware assistance.9 10 11Introduction12============13 14:doc:`AddressSanitizer`15tags every 8 bytes of the application memory with a 1 byte tag (using *shadow memory*),16uses *redzones* to find buffer-overflows and17*quarantine* to find use-after-free.18The redzones, the quarantine, and, to a lesser extent, the shadow, are the19sources of AddressSanitizer's memory overhead.20See the `AddressSanitizer paper`_ for details.21 22AArch64 has `Address Tagging`_ (or top-byte-ignore, TBI), a hardware feature that allows23software to use the 8 most significant bits of a 64-bit pointer as24a tag. HWASAN uses `Address Tagging`_25to implement a memory safety tool, similar to :doc:`AddressSanitizer`,26but with smaller memory overhead and slightly different (mostly better)27accuracy guarantees.28 29Intel's `Linear Address Masking`_ (LAM) also provides address tagging for30x86_64, though it is not widely available in hardware yet. For x86_64, HWASAN31has a limited implementation using page aliasing instead.32 33Algorithm34=========35* Every heap/stack/global memory object is forcibly aligned by `TG` bytes36 (`TG` is e.g. 16 or 64). We call `TG` the **tagging granularity**.37* For every such object a random `TS`-bit tag `T` is chosen (`TS`, or tag size, is e.g. 4 or 8)38* The pointer to the object is tagged with `T`.39* The memory for the object is also tagged with `T` (using a `TG=>1` shadow memory)40* Every load and store is instrumented to read the memory tag and compare it41 with the pointer tag, exception is raised on tag mismatch.42 43For a more detailed discussion of this approach see https://arxiv.org/pdf/1802.09517.pdf44 45Short granules46--------------47 48A short granule is a granule of size between 1 and `TG-1` bytes. The size49of a short granule is stored at the location in shadow memory where the50granule's tag is normally stored, while the granule's actual tag is stored51in the last byte of the granule. This means that in order to verify that a52pointer tag matches a memory tag, HWASAN must check for two possibilities:53 54* the pointer tag is equal to the memory tag in shadow memory, or55* the shadow memory tag is actually a short granule size, the value being loaded56 is in bounds of the granule and the pointer tag is equal to the last byte of57 the granule.58 59Pointer tags between 1 to `TG-1` are possible and are as likely as any other60tag. This means that these tags in memory have two interpretations: the full61tag interpretation (where the pointer tag is between 1 and `TG-1` and the62last byte of the granule is ordinary data) and the short tag interpretation63(where the pointer tag is stored in the granule).64 65When HWASAN detects an error near a memory tag between 1 and `TG-1`, it66will show both the memory tag and the last byte of the granule. Currently,67it is up to the user to disambiguate the two possibilities.68 69Instrumentation70===============71 72Memory Accesses73---------------74In the majority of cases, memory accesses are prefixed with a call to75an outlined instruction sequence that verifies the tags. The code size76and performance overhead of the call is reduced by using a custom calling77convention that78 79* preserves most registers, and80* is specialized to the register containing the address, and the type and81 size of the memory access.82 83Currently, the following sequence is used:84 85.. code-block:: none86 87 // int foo(int *a) { return *a; }88 // clang -O2 --target=aarch64-linux-android30 -fsanitize=hwaddress -S -o - load.c89 [...]90 foo:91 stp x30, x20, [sp, #-16]!92 adrp x20, :got:__hwasan_shadow // load shadow address from GOT into x2093 ldr x20, [x20, :got_lo12:__hwasan_shadow]94 bl __hwasan_check_x0_2_short_v2 // call outlined tag check95 // (arguments: x0 = address, x20 = shadow base;96 // "2" encodes the access type and size)97 ldr w0, [x0] // inline load98 ldp x30, x20, [sp], #1699 ret100 101 [...]102 __hwasan_check_x0_2_short_v2:103 sbfx x16, x0, #4, #52 // shadow offset104 ldrb w16, [x20, x16] // load shadow tag105 cmp x16, x0, lsr #56 // extract address tag, compare with shadow tag106 b.ne .Ltmp0 // jump to short tag handler on mismatch107 .Ltmp1:108 ret109 .Ltmp0:110 cmp w16, #15 // is this a short tag?111 b.hi .Ltmp2 // if not, error112 and x17, x0, #0xf // find the address's position in the short granule113 add x17, x17, #3 // adjust to the position of the last byte loaded114 cmp w16, w17 // check that position is in bounds115 b.ls .Ltmp2 // if not, error116 orr x16, x0, #0xf // compute address of last byte of granule117 ldrb w16, [x16] // load tag from it118 cmp x16, x0, lsr #56 // compare with pointer tag119 b.eq .Ltmp1 // if matches, continue120 .Ltmp2:121 stp x0, x1, [sp, #-256]! // save original x0, x1 on stack (they will be overwritten)122 stp x29, x30, [sp, #232] // create frame record123 mov x1, #2 // set x1 to a constant indicating the type of failure124 adrp x16, :got:__hwasan_tag_mismatch_v2 // call runtime function to save remaining registers and report error125 ldr x16, [x16, :got_lo12:__hwasan_tag_mismatch_v2] // (load address from GOT to avoid potential register clobbers in delay load handler)126 br x16127 128Heap129----130 131Tagging the heap memory/pointers is done by `malloc`.132This can be based on any malloc that forces all objects to be TG-aligned.133`free` tags the memory with a different tag.134 135Stack136-----137 138Stack frames are instrumented by aligning all non-promotable allocas139by `TG` and tagging stack memory in function prologue and epilogue.140 141Tags for different allocas in one function are **not** generated142independently; doing that in a function with `M` allocas would require143maintaining `M` live stack pointers, significantly increasing register144pressure. Instead we generate a single base tag value in the prologue,145and build the tag for alloca number `M` as `ReTag(BaseTag, M)`, where146ReTag can be as simple as exclusive-or with constant `M`.147 148Stack instrumentation is expected to be a major source of overhead,149but could be optional.150 151Globals152-------153 154Most globals in HWASAN instrumented code are tagged. This is accomplished155using the following mechanisms:156 157 * The address of each global has a static tag associated with it. The first158 defined global in a translation unit has a pseudorandom tag associated159 with it, based on the hash of the file path. Subsequent global tags are160 incremental from the previously-assigned tag.161 162 * The global's tag is added to its symbol address in the object file's symbol163 table. This causes the global's address to be tagged when its address is164 taken.165 166 * When the address of a global is taken directly (i.e. not via the GOT), a special167 instruction sequence needs to be used to add the tag to the address,168 because the tag would otherwise take the address outside of the small code169 model (4GB on AArch64). No changes are required when the address is taken170 via the GOT because the address stored in the GOT will contain the tag.171 172 * An associated ``hwasan_globals`` section is emitted for each tagged global,173 which indicates the address of the global, its size and its tag. These174 sections are concatenated by the linker into a single ``hwasan_globals``175 section that is enumerated by the runtime (via an ELF note) when a binary176 is loaded and the memory is tagged accordingly.177 178A complete example is given below:179 180.. code-block:: none181 182 // int x = 1; int *f() { return &x; }183 // clang -O2 --target=aarch64-linux-android30 -fsanitize=hwaddress -S -o - global.c184 185 [...]186 f:187 adrp x0, :pg_hi21_nc:x // set bits 12-63 to upper bits of untagged address188 movk x0, #:prel_g3:x+0x100000000 // set bits 48-63 to tag189 add x0, x0, :lo12:x // set bits 0-11 to lower bits of address190 ret191 192 [...]193 .data194 .Lx.hwasan:195 .word 1196 197 .globl x198 .set x, .Lx.hwasan+0x2d00000000000000199 200 [...]201 .section .note.hwasan.globals,"aG",@note,hwasan.module_ctor,comdat202 .Lhwasan.note:203 .word 8 // namesz204 .word 8 // descsz205 .word 3 // NT_LLVM_HWASAN_GLOBALS206 .asciz "LLVM\000\000\000"207 .word __start_hwasan_globals-.Lhwasan.note208 .word __stop_hwasan_globals-.Lhwasan.note209 210 [...]211 .section hwasan_globals,"ao",@progbits,.Lx.hwasan,unique,2212 .Lx.hwasan.descriptor:213 .word .Lx.hwasan-.Lx.hwasan.descriptor214 .word 0x2d000004 // tag = 0x2d, size = 4215 216Error reporting217---------------218 219Errors are generated by the `HLT` instruction and are handled by a signal handler.220 221Attribute222---------223 224HWASAN uses its own LLVM IR Attribute `sanitize_hwaddress` and a matching225C function attribute. An alternative would be to re-use ASAN's attribute226`sanitize_address`. The reasons to use a separate attribute are:227 228 * Users may need to disable ASAN but not HWASAN, or vise versa,229 because the tools have different trade-offs and compatibility issues.230 * LLVM (ideally) does not use flags to decide which pass is being used,231 ASAN or HWASAN are being applied, based on the function attributes.232 233This does mean that users of HWASAN may need to add the new attribute234to the code that already uses the old attribute.235 236 237Comparison with AddressSanitizer238================================239 240HWASAN:241 * Is less portable than :doc:`AddressSanitizer`242 as it relies on hardware `Address Tagging`_ (AArch64).243 Address Tagging can be emulated with compiler instrumentation,244 but it will require the instrumentation to remove the tags before245 any load or store, which is infeasible in any realistic environment246 that contains non-instrumented code.247 * May have compatibility problems if the target code uses higher248 pointer bits for other purposes.249 * May require changes in the OS kernels (e.g. Linux seems to dislike250 tagged pointers passed from address space:251 https://www.kernel.org/doc/Documentation/arm64/tagged-pointers.txt).252 * **Does not require redzones to detect buffer overflows**,253 but the buffer overflow detection is probabilistic, with roughly254 `1/(2**TS)` chance of missing a bug (6.25% or 0.39% with 4 and 8-bit TS255 respectively).256 * **Does not require quarantine to detect heap-use-after-free,257 or stack-use-after-return**.258 The detection is similarly probabilistic.259 260The memory overhead of HWASAN is expected to be much smaller261than that of AddressSanitizer:262`1/TG` extra memory for the shadow263and some overhead due to `TG`-aligning all objects.264 265Security Considerations266=======================267 268HWASAN is a bug detection tool and its runtime is not meant to be269linked against production executables. While it may be useful for testing,270HWASAN's runtime was not developed with security-sensitive271constraints in mind and may compromise the security of the resulting executable.272 273Supported architectures274=======================275HWASAN relies on `Address Tagging`_ which is only available on AArch64.276For other 64-bit architectures it is possible to remove the address tags277before every load and store by compiler instrumentation, but this variant278will have limited deployability since not all of the code is279typically instrumented.280 281On x86_64, HWASAN utilizes page aliasing to place tags in userspace address282bits. Currently only heap tagging is supported. The page aliases rely on283shared memory, which will cause heap memory to be shared between processes if284the application calls ``fork()``. Therefore x86_64 is really only safe for285applications that do not fork.286 287HWASAN does not currently support 32-bit architectures since they do not288support `Address Tagging`_ and the address space is too constrained to easily289implement page aliasing.290 291 292Related Work293============294* `SPARC ADI`_ and `Arm MTE`_ implement a similar tool mostly in hardware.295* `Effective and Efficient Memory Protection Using Dynamic Tainting`_ discusses296 similar approaches ("lock & key").297* `Watchdog`_ discussed a heavier, but still somewhat similar298 "lock & key" approach.299* *TODO: add more "related work" links. Suggestions are welcome.*300 301 302.. _Watchdog: https://www.cis.upenn.edu/acg/papers/isca12_watchdog.pdf303.. _Effective and Efficient Memory Protection Using Dynamic Tainting: https://www.cc.gatech.edu/~orso/papers/clause.doudalis.orso.prvulovic.pdf304.. _SPARC ADI: https://lazytyped.blogspot.com/2017/09/getting-started-with-adi.html305.. _Arm MTE: https://developer.arm.com/documentation/108035/0100/Introduction-to-the-Memory-Tagging-Extension306.. _AddressSanitizer paper: https://www.usenix.org/system/files/conference/atc12/atc12-final39.pdf307.. _Address Tagging: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch12s05s01.html308.. _Linear Address Masking: https://software.intel.com/content/www/us/en/develop/download/intel-architecture-instruction-set-extensions-programming-reference.html309