AD3039: EnableArmMTE¶
Summary¶
| Property | Value |
|---|---|
| ID | AD3039 |
| Name | EnableArmMTE |
| Category | Security |
| Severity | Warning |
| Applies to | ELF (Linux ARM64) |
Description¶
ARM64 ELF binaries should consider enabling Memory Tagging Extension (MTE) for hardware-accelerated memory safety.
How It Works¶
The rule checks for MTE enablement:
- GNU property notes for MTE
- PROT_MTE memory mappings
- MTE-related instructions
Why This Matters¶
MTE provides hardware-accelerated detection of memory safety bugs with minimal performance overhead.
How MTE Works¶
Every 16-byte memory region gets a 4-bit tag (0-15)
Every pointer carries a 4-bit tag in upper bits
Memory access:
Pointer tag must match memory tag
Mismatch → hardware exception
Tag Assignment¶
// Allocator assigns tags
void* ptr = malloc(64);
// ptr = 0x0300'0000'1234'5670 (tag 3 in upper bits)
// Memory at 0x12345670 tagged with 3
// Use-after-free detection:
free(ptr); // Memory retagged to different value
*ptr = 42; // Tag mismatch → fault
MTE Modes¶
| Mode | Behavior | Use Case |
|---|---|---|
| Sync | Immediate fault | Development |
| Async | Delayed reporting | Production |
| Asymm | Sync reads, async writes | Balanced |
Coverage vs ASAN¶
| Feature | ASAN | MTE |
|---|---|---|
| Overhead | 2x CPU | <5% |
| Memory | 2x RAM | 3% |
| Detection | Byte-level | 16-byte granularity |
| Production use | No | Yes |
Hardware Requirements¶
| Requirement | Details |
|---|---|
| CPU | ARMv8.5-A + MTE |
| Kernel | Linux 5.10+ |
| libc | glibc 2.32+ |
Performance Considerations¶
MTE is designed for production use with significantly lower overhead than software sanitizers:
| Mode | Runtime Overhead | Memory Overhead | Use Case |
|---|---|---|---|
| Sync | 3-5% | 3% | Development, security-critical |
| Async | <1% | 3% | Production |
| Asymm | 1-2% | 3% | Balanced |
Comparison with software sanitizers:
| Sanitizer | CPU Overhead | Memory Overhead | Production Use |
|---|---|---|---|
| ASAN | 100-200% | 200-300% | No |
| MSAN | 200-300% | 200-300% | No |
| MTE (async) | <1% | 3% | Yes |
Mode selection guidance:
| Scenario | Recommended Mode |
|---|---|
| Development/testing | Sync (immediate detection) |
| Production (security-critical) | Sync or Asymm |
| Production (performance-critical) | Async |
Trade-offs: - 16-byte detection granularity (vs byte-level for ASAN) - Requires MTE-capable hardware - Small memory overhead for tag storage (3%)
Resolution¶
Enable MTE at compile time: