←back to thread

Memory Integrity Enforcement

(security.apple.com)
458 points circuit | 1 comments | 09 Sep 25 18:25 UTC | HN request time: 0s | source
Show context
ysnp ◴[09 Sep 25 20:43 UTC] No.45188721[source]
>Google took a great first step last year when they offered MTE to those who opt in to their program for at-risk users. But even for users who turn it on, the effectiveness of MTE on Android is limited by the lack of deep integration with the operating system that distinguishes Memory Integrity Enforcement and its use of EMTE on Apple silicon.

>With the introduction of the iPhone 17 lineup and iPhone Air, we’re excited to deliver Memory Integrity Enforcement: the industry’s first ever, comprehensive, always-on memory-safety protection covering key attack surfaces — including the kernel and over 70 userland processes — built on the Enhanced Memory Tagging Extension (EMTE) and supported by secure typed allocators and tag confidentiality protections.

Of course it is a little disappointing not to see GrapheneOS's efforts in implementing [1] and raising awareness [2] recognised by others but it is very encouraging to see Apple making a serious effort on this. Hopefully it spurs Google on to do the same in Pixel OS. It should also inspire confidence that GrapheneOS are generally among the leaders in creating a system that defends the device owner against unknown threats.

[1] https://grapheneos.org/releases#2023103000 [2] https://xcancel.com/GrapheneOS/status/1716946325277909087#m

replies(1): >>45188900 #
saagarjha ◴[09 Sep 25 20:52 UTC] No.45188900[source]
Apple has been working on this for years. It's not like they started thinking about memory tagging when Daniel decided to turn it on in GrapheneOS.
replies(3): >>45189111 #>>45189983 #>>45191005 #
slashtab ◴[09 Sep 25 23:34 UTC] No.45191005[source]
So Apple did research and Daniel just “turned it on”?! I am not talking about Hardware part even then you're biased and dismissive of other's effort.
replies(2): >>45192002 #>>45194591 #
astrange ◴[10 Sep 25 01:36 UTC] No.45192002[source]
It certainly isn't something you can just turn on. I don't know how hardened_malloc works, but one problem is that C malloc() doesn't know the type of memory it's allocating, which is naturally an issue when you need to… allocate typed memory.

You can fix this insofar as you control the compiler and calls to malloc(), which you don't, because third party code may have wrappers around it.

replies(1): >>45193446 #
strcat ◴[10 Sep 25 04:55 UTC] No.45193446[source]
MTE is not about typed memory. It's for detecting invalid memory accesses outside of an object or outside of the lifetime of the object in general. hardened_malloc is the main place GrapheneOS implements MTE for userspace. In the kernel, it's implemented in various allocators and in Chromium in PartitionAlloc. The kernel and PartitionAlloc allocators have typed allocator designed unlike malloc. It's still possible to do partitioning for malloc via size classes and call locations.
replies(1): >>45194557 #
1. saagarjha ◴[10 Sep 25 07:48 UTC] No.45194557[source]
Yes, this is exactly what you're missing and why what Apple has done is novel. They've combined MTE with typed allocators to reduce the performance impact and make it effective as Android failed to do.