New research has detailed a novel way to bypass a security feature built into ARM chips.
A team of cybersecurity researchers from Samsung, Seoul National University, and the Georgia Institute of Technology called the new approach “TIKTAG,” as it works around the Memory Tagging Extension (MTE) tool.
Apparently, the success rate of the method is 95% and it works quite quickly. It was added that the researchers were successful in both the Linux and Chrome kernels.
High success rate
Memory Tagging Extension (MTE) is a hardware security feature designed to improve memory security by detecting and preventing common types of memory-related errors in software (think buffer overflows, use-after-free and similar).
It was introduced in ARM v8.5-A and is apparently quite relevant for operating systems, browsers and other large applications where memory safety bugs can lead to a data leak.
It works by assigning small tags to chunks of memory. By ensuring that the label matches the region of memory being accessed, MTE essentially protects against memory corruption. However, through a speculative run, the researchers managed to leak MTE memory tags, with a pretty good success rate as well.
The team reported its findings to ARM and Google in late 2023 and, according to beepcomputerreceived positive responses but no immediate solutions.
“As allocation tags are not expected to be a secret to software in the address space, a speculative mechanism that reveals the correct value of the tag is not considered a compromise of architectural principles,” ARM said. Google said something similar, stating that the V8 sandbox never guaranteed the confidentiality of memory data and MTE tags.
The research paper suggests a number of mitigations, including modifying the hardware design, inserting speculative barriers, adding padding instructions, and more. You can read the full list at this link.
