brintos

brintos / llvm-project-archived public Read only

0
0
Text · 13.7 KiB · f2e76d6 Raw
309 lines · plain
1=======================================================2Hardware-assisted AddressSanitizer Design Documentation3=======================================================4 5This page is a design document for6**hardware-assisted AddressSanitizer** (or **HWASAN**)7a tool similar to :doc:`AddressSanitizer`,8but based on partial hardware assistance.9 10 11Introduction12============13 14:doc:`AddressSanitizer`15tags every 8 bytes of the application memory with a 1 byte tag (using *shadow memory*),16uses *redzones* to find buffer-overflows and17*quarantine* to find use-after-free.18The redzones, the quarantine, and, to a lesser extent, the shadow, are the19sources of AddressSanitizer's memory overhead.20See the `AddressSanitizer paper`_ for details.21 22AArch64 has `Address Tagging`_ (or top-byte-ignore, TBI), a hardware feature that allows23software to use the 8 most significant bits of a 64-bit pointer as24a tag. HWASAN uses `Address Tagging`_25to implement a memory safety tool, similar to :doc:`AddressSanitizer`,26but with smaller memory overhead and slightly different (mostly better)27accuracy guarantees.28 29Intel's `Linear Address Masking`_ (LAM) also provides address tagging for30x86_64, though it is not widely available in hardware yet.  For x86_64, HWASAN31has a limited implementation using page aliasing instead.32 33Algorithm34=========35* Every heap/stack/global memory object is forcibly aligned by `TG` bytes36  (`TG` is e.g. 16 or 64). We call `TG` the **tagging granularity**.37* For every such object a random `TS`-bit tag `T` is chosen (`TS`, or tag size, is e.g. 4 or 8)38* The pointer to the object is tagged with `T`.39* The memory for the object is also tagged with `T` (using a `TG=>1` shadow memory)40* Every load and store is instrumented to read the memory tag and compare it41  with the pointer tag, exception is raised on tag mismatch.42 43For a more detailed discussion of this approach see https://arxiv.org/pdf/1802.09517.pdf44 45Short granules46--------------47 48A short granule is a granule of size between 1 and `TG-1` bytes. The size49of a short granule is stored at the location in shadow memory where the50granule's tag is normally stored, while the granule's actual tag is stored51in the last byte of the granule. This means that in order to verify that a52pointer tag matches a memory tag, HWASAN must check for two possibilities:53 54* the pointer tag is equal to the memory tag in shadow memory, or55* the shadow memory tag is actually a short granule size, the value being loaded56  is in bounds of the granule and the pointer tag is equal to the last byte of57  the granule.58 59Pointer tags between 1 to `TG-1` are possible and are as likely as any other60tag. This means that these tags in memory have two interpretations: the full61tag interpretation (where the pointer tag is between 1 and `TG-1` and the62last byte of the granule is ordinary data) and the short tag interpretation63(where the pointer tag is stored in the granule).64 65When HWASAN detects an error near a memory tag between 1 and `TG-1`, it66will show both the memory tag and the last byte of the granule. Currently,67it is up to the user to disambiguate the two possibilities.68 69Instrumentation70===============71 72Memory Accesses73---------------74In the majority of cases, memory accesses are prefixed with a call to75an outlined instruction sequence that verifies the tags. The code size76and performance overhead of the call is reduced by using a custom calling77convention that78 79* preserves most registers, and80* is specialized to the register containing the address, and the type and81  size of the memory access.82 83Currently, the following sequence is used:84 85.. code-block:: none86 87  // int foo(int *a) { return *a; }88  // clang -O2 --target=aarch64-linux-android30 -fsanitize=hwaddress -S -o - load.c89  [...]90  foo:91        stp     x30, x20, [sp, #-16]!92        adrp    x20, :got:__hwasan_shadow               // load shadow address from GOT into x2093        ldr     x20, [x20, :got_lo12:__hwasan_shadow]94        bl      __hwasan_check_x0_2_short_v2            // call outlined tag check95                                                        // (arguments: x0 = address, x20 = shadow base;96                                                        // "2" encodes the access type and size)97        ldr     w0, [x0]                                // inline load98        ldp     x30, x20, [sp], #1699        ret100 101  [...]102  __hwasan_check_x0_2_short_v2:103        sbfx    x16, x0, #4, #52                        // shadow offset104        ldrb    w16, [x20, x16]                         // load shadow tag105        cmp     x16, x0, lsr #56                        // extract address tag, compare with shadow tag106        b.ne    .Ltmp0                                  // jump to short tag handler on mismatch107  .Ltmp1:108        ret109  .Ltmp0:110        cmp     w16, #15                                // is this a short tag?111        b.hi    .Ltmp2                                  // if not, error112        and     x17, x0, #0xf                           // find the address's position in the short granule113        add     x17, x17, #3                            // adjust to the position of the last byte loaded114        cmp     w16, w17                                // check that position is in bounds115        b.ls    .Ltmp2                                  // if not, error116        orr     x16, x0, #0xf                           // compute address of last byte of granule117        ldrb    w16, [x16]                              // load tag from it118        cmp     x16, x0, lsr #56                        // compare with pointer tag119        b.eq    .Ltmp1                                  // if matches, continue120  .Ltmp2:121        stp     x0, x1, [sp, #-256]!                    // save original x0, x1 on stack (they will be overwritten)122        stp     x29, x30, [sp, #232]                    // create frame record123        mov     x1, #2                                  // set x1 to a constant indicating the type of failure124        adrp    x16, :got:__hwasan_tag_mismatch_v2      // call runtime function to save remaining registers and report error125        ldr     x16, [x16, :got_lo12:__hwasan_tag_mismatch_v2] // (load address from GOT to avoid potential register clobbers in delay load handler)126        br      x16127 128Heap129----130 131Tagging the heap memory/pointers is done by `malloc`.132This can be based on any malloc that forces all objects to be TG-aligned.133`free` tags the memory with a different tag.134 135Stack136-----137 138Stack frames are instrumented by aligning all non-promotable allocas139by `TG` and tagging stack memory in function prologue and epilogue.140 141Tags for different allocas in one function are **not** generated142independently; doing that in a function with `M` allocas would require143maintaining `M` live stack pointers, significantly increasing register144pressure. Instead we generate a single base tag value in the prologue,145and build the tag for alloca number `M` as `ReTag(BaseTag, M)`, where146ReTag can be as simple as exclusive-or with constant `M`.147 148Stack instrumentation is expected to be a major source of overhead,149but could be optional.150 151Globals152-------153 154Most globals in HWASAN instrumented code are tagged. This is accomplished155using the following mechanisms:156 157  * The address of each global has a static tag associated with it. The first158    defined global in a translation unit has a pseudorandom tag associated159    with it, based on the hash of the file path. Subsequent global tags are160    incremental from the previously-assigned tag.161 162  * The global's tag is added to its symbol address in the object file's symbol163    table. This causes the global's address to be tagged when its address is164    taken.165 166  * When the address of a global is taken directly (i.e. not via the GOT), a special167    instruction sequence needs to be used to add the tag to the address,168    because the tag would otherwise take the address outside of the small code169    model (4GB on AArch64). No changes are required when the address is taken170    via the GOT because the address stored in the GOT will contain the tag.171 172  * An associated ``hwasan_globals`` section is emitted for each tagged global,173    which indicates the address of the global, its size and its tag.  These174    sections are concatenated by the linker into a single ``hwasan_globals``175    section that is enumerated by the runtime (via an ELF note) when a binary176    is loaded and the memory is tagged accordingly.177 178A complete example is given below:179 180.. code-block:: none181 182  // int x = 1; int *f() { return &x; }183  // clang -O2 --target=aarch64-linux-android30 -fsanitize=hwaddress -S -o - global.c184 185  [...]186  f:187        adrp    x0, :pg_hi21_nc:x            // set bits 12-63 to upper bits of untagged address188        movk    x0, #:prel_g3:x+0x100000000  // set bits 48-63 to tag189        add     x0, x0, :lo12:x              // set bits 0-11 to lower bits of address190        ret191 192  [...]193        .data194  .Lx.hwasan:195        .word   1196 197        .globl  x198        .set x, .Lx.hwasan+0x2d00000000000000199 200  [...]201        .section        .note.hwasan.globals,"aG",@note,hwasan.module_ctor,comdat202  .Lhwasan.note:203        .word   8                            // namesz204        .word   8                            // descsz205        .word   3                            // NT_LLVM_HWASAN_GLOBALS206        .asciz  "LLVM\000\000\000"207        .word   __start_hwasan_globals-.Lhwasan.note208        .word   __stop_hwasan_globals-.Lhwasan.note209 210  [...]211        .section        hwasan_globals,"ao",@progbits,.Lx.hwasan,unique,2212  .Lx.hwasan.descriptor:213        .word   .Lx.hwasan-.Lx.hwasan.descriptor214        .word   0x2d000004                   // tag = 0x2d, size = 4215 216Error reporting217---------------218 219Errors are generated by the `HLT` instruction and are handled by a signal handler.220 221Attribute222---------223 224HWASAN uses its own LLVM IR Attribute `sanitize_hwaddress` and a matching225C function attribute. An alternative would be to re-use ASAN's attribute226`sanitize_address`. The reasons to use a separate attribute are:227 228  * Users may need to disable ASAN but not HWASAN, or vise versa,229    because the tools have different trade-offs and compatibility issues.230  * LLVM (ideally) does not use flags to decide which pass is being used,231    ASAN or HWASAN are being applied, based on the function attributes.232 233This does mean that users of HWASAN may need to add the new attribute234to the code that already uses the old attribute.235 236 237Comparison with AddressSanitizer238================================239 240HWASAN:241  * Is less portable than :doc:`AddressSanitizer`242    as it relies on hardware `Address Tagging`_ (AArch64).243    Address Tagging can be emulated with compiler instrumentation,244    but it will require the instrumentation to remove the tags before245    any load or store, which is infeasible in any realistic environment246    that contains non-instrumented code.247  * May have compatibility problems if the target code uses higher248    pointer bits for other purposes.249  * May require changes in the OS kernels (e.g. Linux seems to dislike250    tagged pointers passed from address space:251    https://www.kernel.org/doc/Documentation/arm64/tagged-pointers.txt).252  * **Does not require redzones to detect buffer overflows**,253    but the buffer overflow detection is probabilistic, with roughly254    `1/(2**TS)` chance of missing a bug (6.25% or 0.39% with 4 and 8-bit TS255    respectively).256  * **Does not require quarantine to detect heap-use-after-free,257    or stack-use-after-return**.258    The detection is similarly probabilistic.259 260The memory overhead of HWASAN is expected to be much smaller261than that of AddressSanitizer:262`1/TG` extra memory for the shadow263and some overhead due to `TG`-aligning all objects.264 265Security Considerations266=======================267 268HWASAN is a bug detection tool and its runtime is not meant to be269linked against production executables. While it may be useful for testing,270HWASAN's runtime was not developed with security-sensitive271constraints in mind and may compromise the security of the resulting executable.272 273Supported architectures274=======================275HWASAN relies on `Address Tagging`_ which is only available on AArch64.276For other 64-bit architectures it is possible to remove the address tags277before every load and store by compiler instrumentation, but this variant278will have limited deployability since not all of the code is279typically instrumented.280 281On x86_64, HWASAN utilizes page aliasing to place tags in userspace address282bits.  Currently only heap tagging is supported.  The page aliases rely on283shared memory, which will cause heap memory to be shared between processes if284the application calls ``fork()``.  Therefore x86_64 is really only safe for285applications that do not fork.286 287HWASAN does not currently support 32-bit architectures since they do not288support `Address Tagging`_ and the address space is too constrained to easily289implement page aliasing.290 291 292Related Work293============294* `SPARC ADI`_ and `Arm MTE`_ implement a similar tool mostly in hardware.295* `Effective and Efficient Memory Protection Using Dynamic Tainting`_ discusses296  similar approaches ("lock & key").297* `Watchdog`_ discussed a heavier, but still somewhat similar298  "lock & key" approach.299* *TODO: add more "related work" links. Suggestions are welcome.*300 301 302.. _Watchdog: https://www.cis.upenn.edu/acg/papers/isca12_watchdog.pdf303.. _Effective and Efficient Memory Protection Using Dynamic Tainting: https://www.cc.gatech.edu/~orso/papers/clause.doudalis.orso.prvulovic.pdf304.. _SPARC ADI: https://lazytyped.blogspot.com/2017/09/getting-started-with-adi.html305.. _Arm MTE: https://developer.arm.com/documentation/108035/0100/Introduction-to-the-Memory-Tagging-Extension306.. _AddressSanitizer paper: https://www.usenix.org/system/files/conference/atc12/atc12-final39.pdf307.. _Address Tagging: http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.den0024a/ch12s05s01.html308.. _Linear Address Masking: https://software.intel.com/content/www/us/en/develop/download/intel-architecture-instruction-set-extensions-programming-reference.html309