Memory Tagging for the Kernel: Tag-Based KASAN

About the speaker

Andrey Konovalov
Google, Munich, Germany

Andrey Konovalov is a software engineer at Google working on various bug finding tools for the Linux kernel (e.g. syzkaller and KASAN). His main research interests are vulnerability discovery and exploit development, particularly for the Linux kernel.

Abstract

Memory Tagging Extension (MTE) is an ARM v8.5 extension that enables hardware-assisted validation of correctness of memory accesses. In a nutshell, MTE allows to assign tags to memory allocations, as well as to pointers that refer to those allocations. When a pointer is accessed, a validity check is performed by the hardware, which ensures that the tag on the memory matches the tag on the pointer.

This talk will focus on a newly introduced tag-based mode of KASAN. KASAN (KernelAddressSanitizer) is a memory error detector for the Linux kernel. While the hardware MTE implementation will only come in CPUs that are released in the following years, we can already use a software implementation, that relies on compiler instrumentation to perform tag validity checks. The tag-based KASAN mode is based on the memory tagging approach, and uses compiler instrumentation instead of relying on hardware.

Right now tag-based KASAN is available in Android common kernels and can be used as an alternative to generic KASAN with significantly lower memory requirements, that allows to run it on testing dogfood devices. Tag-based KASAN also serves as preparatory work for in-kernel MTE support, that hopefully will be used as a kernel memory corruption mitigation technique in the future.