PACSan: Enforcing Memory Safety Based on ARM PA

TL;DR

PACSan is a novel memory sanitizer that enforces spatial and temporal safety with minimal performance overhead by leveraging ARM Pointer Authentication, outperforming existing sanitizers in security and efficiency.

Contribution

PACSan introduces a new approach using ARM PA to seal metadata in pointers, enabling low-overhead, accurate memory safety enforcement without false positives.

Findings

PACSan achieves 0.84x runtime overhead and 1.92x memory overhead.

It has no false positives and fewer false negatives compared to state-of-the-art sanitizers.

PACSan reduces runtime and memory overheads significantly compared to ASan.

Abstract

Memory safety is a key security property that stops memory corruption vulnerabilities. Existing sanitizers enforce checks and catch such bugs during development and testing. However, they either provide partial memory safety or have overwhelmingly high performance overheads. Our novel sanitizer PACSan enforces spatial and temporal memory safety with no false positives at low performance overheads. PACSan removes the majority of the overheads involved in pointer tracking by sealing metadata in pointers through ARM PA (Pointer Authentication), and performing the memory safety checks when pointers are dereferenced. We have developed a prototype of PACSan and systematically evaluated its security and performance on the Magma, Juliet, Nginx, and SPEC CPU2017 test suites, respectively. In our evaluation, PACSan shows no false positives together with negligible false negatives, while introducing stronger security guarantees and lower performance overheads than state-of-the-art sanitizers, including HWASan, ASan, SoftBound+CETS, Memcheck, LowFat, and PTAuth. Specifically, PACSan has 0.84x runtime overhead and 1.92x memory overhead on average. Compared to the widely deployed ASan, PACSan has no false positives and much fewer false negatives and reduces 7.172% runtime overheads and 89.063%memory overheads.