LonghornOct 14, 2025

Meanwhile on x86, upcoming memory tagging support was announced today - named ChkTag.

A few notes:

- Tags are stored in virtual memory - this is quite similar to the recently disclosed FEAT_VMTE on Arm

- Instruction-level granularity on whether an access is checked or not - on Arm this is handled via a PSTATE bit (TCO) but x86 has far more opcode space to deal with this one differently

- Compatible with existing ABIs/can be adopted gradually by software

Show threadLonghornOct 14, 2025

- It's argued that software mechanisms (ie sanitisers) are too slow - we'll see how that goes given the Fil-C experiment.

(that however completely breaks ABI)

Show threadLonghornOct 14, 2025
Intel blog post: https://community.intel.com/t5/Blogs/Tech-Innovation/open-intel/ChkTag-x86-Memory-Safety/post/1721490
ChkTag: x86 Memory Safety

ChkTag: x86 Memory Safety   Memory safety violations due to programming errors have long afflicted software. Industry and academia have been searching for solutions to this problem. As first noted in August 2025 posts by Intel and AMD x86 Ecosystem Advisory Group (EAG) leaders [1, 2], Intel and AMD ...

Show threadFélixOct 14, 2025
@never_released the August 27th LinkedIn posts they reference mention AVX10 and FRED but say nothing about ChkTag. Makes you wonder what could possibly have happened in September
Show threadLonghornOct 14, 2025

@fay59
> One highlight to note, cloud providers made it clear that memory tagging, once considered a debug only feature, is mission critical for protecting production workloads

in Hormuth's post

Show threadSiguzaOct 14, 2025
@never_released @fay59 wanna bet on whether it'll make it to prod by 2040?
Show threadmOct 14, 2025
@siguza @never_released @fay59 I wouldn’t be too pessimistic or unconcerned. Depending on what the new cra standards require (basically your software needs a CE-mark for the eu market) this could happen sooner than later. Draft for operating systems: https://labs.etsi.org/rep/stan4cra/en-304-626/-/blob/main/EN-304-626.md?ref_type=heads#:~:text=Use%20case:%20laptop%2C%20phone%2C%20other%20devices%20at%20higher%20risk%20of%20malicious%20code%20executionMitigation:%20Use%20software%20or%20hardware%20memory%20tagging%20feature%20for%20memory%20allocations..
EN-304-626.md · main · STAN4CRA / EN 304 626 Operating Systems · GitLab

Welcome to ETSI Labs

GitLab
Show threadFélixOct 14, 2025
@m @siguza @never_released not European, not a lawyer, not going to read the whole thing; with that out of the way, MI-PMSC makes it an “essential requirement” to prevent side channel attacks so I don’t know how much I believe this will become real
Show threadmOct 14, 2025
@fay59 the current version is not final, but a work in progress up for public participation. I wouldn‘t be so sure. The Cyber Resilience Act is EU law and will apply to all products sold in the EU after it comes into force (afaik late 2027).
And the standards are only technical requirements to make compliance with the actual requirements (https://eur-lex.europa.eu/eli/reg/2024/2847/oj/eng#anx_II) easier. And if you don’t comply, you are liable for any damages, without the option to limit that liability in eula or similar.
Regulation - 2024/2847 - EN - EUR-Lex

Show threadm
@fay59 from what i’ve heard, it looks a bit like the EU commission officers, being highly annoyed by the fuck around and find out attitude of software companies like Microsoft, Crowdstrike and similar, remebered that they can write the rules for stuff. And are determined to make it stick.
Regardless of the fact that „What is an OS“ is still a research question, they gave these standards people three months for a legally binding technical definition. And they are not stopping nor slowing down.
Oct 14, 2025 at 10:29pmWeb
Show threadmOct 14, 2025
@fay59 in the end they are trying to do with the big stick what others have tried to do before (US CISA and the White House’s document about memory safety): Improving IT security and general quality to a minimum level acceptable according to its role in society. Or in other words: We as IT people have not professionalized ourselves and will find out for our continual fucking around.
For their determination: Ask around about how forgiving they are about the DMA. Apple probably should be involved.
Show threadFélixOct 14, 2025
@m ok