I am working on a security research project on macOS (Apple Silicon M5) and trying to use Memory Integrity Enforcement (MIE) to detect heap memory bugs such as use-after-free. I can confirm the hardware supports MTE hw.optional.arm.FEAT_MTE: 1) and the stack sanitizer (-fsanitize=memtag-stack) does work correctly on this machine. The gap is specifically heap tagging through the allocator. Is there any env variables for this?
How to enable MIE on MacOS
On macOS with Apple Silicon, Memory Integrity Enforcement (MIE) combined with Arm Memory Tagging Extension (MTE) can be a fantastic way to spot heap memory issues. While stack sanitizer support for MTE is generally easier to set up, enabling heap tagging usually requires some specific settings or environment variables. These might not be as well-documented or easily accessible as on other platforms like Linux.
Here are a few ways you might try to enable heap tagging with MTE on macOS:
Environment Variables: Apple’s documentation and developer tools might not list environment variables for controlling MTE heap tagging as clearly as they do for some other sanitizers. However, you can often find what you need by experimenting with variables that are usually used for debugging and runtime settings. Some common variables to try include: MallocStackLogging: This is mainly for logging the stack, but sometimes related environment variables can affect how the memory allocator works.
DYLD_INSERT_LIBRARIES: You might try loading a custom library that changes how the memory allocator behaves to enable MTE, but this requires a good understanding of both MTE and how macOS works inside. Compiler and Linker Flags: Besides stack sanitizer flags, there might be other compiler or linker options that are specific to enabling MTE features on Apple Silicon. Check the latest Xcode and LLVM documentation for any new flags related to MTE.
Custom Allocator: You could also try creating a custom allocator to see if that helps enable MTE. To enable heap tagging, you might consider using a custom memory allocator that supports MTE. Libraries like jemalloc or tcmalloc have been adapted for MTE on other platforms, and it might be possible to port or adapt them for your needs.
System Configuration: Check if there are any system-level configurations or kernel settings that enable or control MTE features. This could involve some low-level debugging or reaching out to Apple Developer Support for any undocumented features.
I was able to enable tag for heap, but it only works on soft mode? I cannot enable hard mode.