PACSan: Enforcing Memory Safety Based on ARM PA
This addresses memory corruption vulnerabilities for software developers by providing stronger security with lower overheads than existing sanitizers, representing a novel method rather than an incremental improvement.
The researchers tackled the problem of memory safety enforcement with high performance overheads by developing PACSan, a sanitizer that uses ARM Pointer Authentication to seal metadata in pointers, achieving 0.84x runtime overhead and 1.92x memory overhead on average with no false positives and negligible false negatives.
Memory safety is a key security property that stops memory corruption vulnerabilities. Existing sanitizers enforce checks and catch such bugs during development and testing. However, they either provide partial memory safety or have overwhelmingly high performance overheads. Our novel sanitizer PACSan enforces spatial and temporal memory safety with no false positives at low performance overheads. PACSan removes the majority of the overheads involved in pointer tracking by sealing metadata in pointers through ARM PA (Pointer Authentication), and performing the memory safety checks when pointers are dereferenced. We have developed a prototype of PACSan and systematically evaluated its security and performance on the Magma, Juliet, Nginx, and SPEC CPU2017 test suites, respectively. In our evaluation, PACSan shows no false positives together with negligible false negatives, while introducing stronger security guarantees and lower performance overheads than state-of-the-art sanitizers, including HWASan, ASan, SoftBound+CETS, Memcheck, LowFat, and PTAuth. Specifically, PACSan has 0.84x runtime overhead and 1.92x memory overhead on average. Compared to the widely deployed ASan, PACSan has no false positives and much fewer false negatives and reduces 7.172% runtime overheads and 89.063%memory overheads.