ARM’s Memory Tagging Extension (MTE) suffers from coarse 16-byte tag granularity, limiting its precision in detecting intra-granule buffer overflows and use-after-free errors—significantly underperforming software-based solutions like AddressSanitizer (ASan). This work introduces NanoTag, the first byte-granular MTE enhancement supporting unmodified binaries. Its core innovation is the “trigger-line” mechanism: dynamically inserting fine-grained boundary markers during memory allocation, tightly integrating Scudo allocator metadata with MTE hardware exception handling to pinpoint overflow locations at byte-level accuracy—without compromising MTE’s runtime efficiency. Evaluation across SPEC CPU, Phoronix Test Suite, and real-world applications shows NanoTag achieves detection capability nearly on par with ASan, while incurring only 12% average overhead over baseline MTE+Scudo—far less than ASan’s typical >2× slowdown.

Memory safety bugs, such as buffer overflows and use-after-frees, are the leading causes of software safety issues in production. Software-based approaches, e.g., Address Sanitizer (ASAN), can detect such bugs with high precision, but with prohibitively high overhead. ARM's Memory Tagging Extension (MTE) offers a promising alternative to detect these bugs in hardware with a much lower overhead. However, in this paper, we perform a thorough investigation of Google Pixel 8, the first production implementation of ARM MTE, and show that MTE can only achieve coarse precision in bug detection compared with software-based approaches such as ASAN, mainly due to its 16-byte tag granularity. To address this issue, we present NanoTag, a system to detect memory safety bugs in unmodified binaries at byte granularity with ARM MTE. NanoTag detects intra-granule buffer overflows by setting up a tripwire for tag granules that may require intra-granule overflow detection. The memory access to the tripwire causes additional overflow detection in the software while using MTE's hardware to detect bugs for the rest of the accesses. We implement NanoTag based on the Scudo Hardened Allocator, the default memory allocator on Android since Android 11. Our evaluation results across popular benchmarks and real-world case studies show that NanoTag detects nearly as many memory safety bugs as ASAN while incurring similar run-time overhead to Scudo Hardened Allocator in MTE SYNC mode.