Comment by pizlonator
5 months ago
Not saying you’d want both. Just answering why MTE isn’t a path to CHERI
But here’s a reason to do both: CHERI’s UAF story isn’t great. Adding MTE means you get a probabilistic story at least
5 months ago
Not saying you’d want both. Just answering why MTE isn’t a path to CHERI
But here’s a reason to do both: CHERI’s UAF story isn’t great. Adding MTE means you get a probabilistic story at least
True! On the flip side, MTE sucks at intra-object corruption: if I get access to a heap object with pointers, MTE doesn't affect me, I can go ahead and write to that object because I own the tag.
Overall my _personal_ opinion is that CHERI is a huge win at a huge cost, while MTE is a huge win at a low cost. But, there are definitely vulnerability classes that each system excels at.
I think the intra object issue might be niche enough to not matter.
And CHERI fixes it only optionally, if you accept having to change a lot more code
Where studies suggest "a lot" is sub-0.1%. For example, https://www.capabilitieslimited.co.uk/_files/ugd/f4d681_e0f2... was a study into porting 6 million lines of C and C++ to run a KDE+X11 desktop stack on CHERI, and saw 0.026% LoC change, or ~1.5k LoC out of ~6 million LoC, all done in just 3 months by one person. That's even an overestimate, because it includes many changes to build systems just to be able to cross-compile the projects. It's not nothing, but it's the kind of thing where a single engineer can feasibly port large bodies of code. Yes, certain systems code will be worse (like JITs), but the vast majority of cases are not that, and even those are still feasible (e.g. we have people working with Chromium and V8).
2 replies →
I think I broadly agree with you. IMO tagging is practically much, much more valuable than capabilities systems modeled like CHERI.
6 replies →
Some progress on UAF though! https://dl.acm.org/doi/10.1145/3703595.3705878