Memory safety bugs, such as buffer overflows and use-after-frees, are the leading causes of software safety issues in production. Software-based approaches, e.g., Address Sanitizer (ASAN), can detect such bugs with high precision, but with prohibitively high overhead. ARM's Memory Tagging Extension (MTE) offers a promising alternative to detect these bugs in hardware with a much lower overhead. However, in this paper, we perform a thorough investigation of Google Pixel 8, the first production implementation of ARM MTE, and show that MTE can only achieve coarse precision in bug detection compared with software-based approaches such as ASAN, mainly due to its 16-byte tag granularity. To address this issue, we present NanoTag, a system to detect memory safety bugs in unmodified binaries at byte granularity with ARM MTE. NanoTag detects intra-granule buffer overflows by setting up a tripwire for tag granules that may require intra-granule overflow detection. The memory access to the tripwire causes additional overflow detection in the software while using MTE's hardware to detect bugs for the rest of the accesses. We implement NanoTag based on the Scudo Hardened Allocator, the default memory allocator on Android since Android 11. Our evaluation results across popular benchmarks and real-world case studies show that NanoTag detects nearly as many memory safety bugs as ASAN while incurring similar run-time overhead to Scudo Hardened Allocator in MTE SYNC mode.

翻译：内存安全漏洞（如缓冲区溢出和释放后使用）是生产环境中软件安全问题的主要原因。基于软件的方法（例如Address Sanitizer (ASAN)）能够以高精度检测此类漏洞，但会产生极高的性能开销。ARM的内存标签扩展（Memory Tagging Extension, MTE）为硬件层面的漏洞检测提供了一种前景广阔的替代方案，其开销显著降低。然而，本文通过对首款实现ARM MTE的生产设备Google Pixel 8进行全面研究，发现与ASAN等基于软件的方法相比，MTE的漏洞检测精度较为粗糙，这主要源于其16字节的标签粒度。为解决此问题，我们提出了NanoTag系统，该系统能够在ARM MTE上以字节粒度检测未修改二进制文件中的内存安全漏洞。NanoTag通过为可能需要粒内溢出检测的标签粒度设置触发机制，来检测粒度内的缓冲区溢出。对触发机制的内存访问会在软件层面引发额外的溢出检测，同时利用MTE硬件检测其余访问中的漏洞。我们在Scudo强化分配器（自Android 11起成为Android默认内存分配器）的基础上实现了NanoTag。在主流基准测试和实际案例研究中的评估结果表明，NanoTag检测到的内存安全漏洞数量接近ASAN，同时其运行时开销与MTE SYNC模式下的Scudo强化分配器相当。