[Cryptography] Oracle archeologists discover memory tagging

John Gilmore gnu at toad.com
Thu Oct 29 04:40:06 EDT 2015 

> Apparently, Oracle has been doing archeology research on old Burroughs...:

What Oracle (Sun) has done here is quite a bit different from the
Burroughs tagged memory.  Here's a developer tip on how it works:

  https://community.oracle.com/docs/DOC-912448

The hardware is storing an extra software-controlled 4-bit value along
with each 64-byte cache line in main memory.  When enabled, hardware
compares this value to the top bits of the address being used to
access the memory, and faults if they don't match.  This is an
interesting use of the copious spare bits available in 64-bit
addresses.  It requires an extra ~1% of main memory and cache memory
width, and probably some extra pins on the processor.

Oracle enables this feature using surprisingly simple modifications to
malloc(), so that adjacent objects (and objects re-allocated on top of
freed objects) are always 64-byte aligned and always get a different
4-bit tag.  User programs can write these memory tags.  Of course, not
every object will have its own tag (there are only 13 tags available)
so a wild access has a 12-in-13 chance of faulting -- still vastly
better odds than without this feature.  This works even with old
binaries, since they link with the new malloc.  If the
memory-tag-writing overhead is low enough, the compiler could also
generate code in new programs to do the same thing with each stack frame
(giving each frame (one or more) tags different from adjacent frames).

By contrast, old Burroughs system memory tagged each 48-bit memory
word based on what kind of data it contained (for a small number of
kinds defined specifically by hardware).  E.g. all data words in all
objects had tag 0, whereas array descriptors had tag 3.  The tags were
not checked against bits in the address used to access them, but
instead against the type of instruction used to access them.  User
programs could not change these tags.  This did not provide protection
against pointers accessing data from outside their arrays, which is
what the Sun/Oracle feature is designed to do.  (That was done by a
separate descriptor mechanism in Burroughs machines, unrelated to the
tagged memory.)

	John

More information about the cryptography mailing list