[pjmlp]

My favourite quote.

"A consequence of this principle is that every occurrence of every subscript of every subscripted variable was on every occasion checked at run time against both the upper and the lower declared bounds of the array. Many years later we asked our customers whether they wished us to provide an option to switch off these checks in the interests of efficiency on production runs. Unanimously, they urged us not to--they already knew how frequently subscript errors occur on production runs where failure to detect them could be disastrous. I note with fear and horror that even in 1980 language designers and users have not learned this lesson. In any respectable branch of engineering, failure to observe such elementary precautions would have long been against the law."

-- C.A.R Hoare's "The 1980 ACM Turing Award Lecture"

After 50 years of the Morris worm, only C Machines can fix the non existence of the mythical high skilled developer, and as Hoare predicted it is finally becoming a liability not to care about security.

[ngneer]

Great quote. Nice to have memory tagging to help with the debug process these days. Not surprising to see these mistakes being made about 50 years later, as the fundamentals have not changed. Doing the same thing and expecting different results is, well, you know...

[strcat]

HWAsan is semi-hardware-accelerated memory tagging usable on most arm64 devices. MTE makes it much lower overhead for the debugging-oriented synchronous mode but also provides the asynchronous/asymmetric modes aimed at production usage. Asynchronous mode is near 0% overhead and asymmetric mode is overall comparable to the overhead existing barely useful legacy mitigations like SSP. MTE provides both bug detection in production for resolving the bugs and also hardening against exploitation. It would be nice if it had more bits, but it can already provide a lot of deterministic protections.

Highly recommend that any Android developer with a single native library shipped with their app gets a Pixel 8 or Pixel 8 Pro to use MTE for finding and debugging memory corruption bugs. One of the major advantages of MTE is that you can use heap MTE with instrumentation only added to the allocators (such as malloc) without building all the code with it. Stack allocation MTE of course requires instrumenting those stack allocations.