Researchers Warn of Arm Reminiscence Tagging Extension (MTE) Bypass, Vulnerabilities within the Google Pixel 8

Researchers from Seoul Nationwide College, working with colleagues on the Georgia Institute of Expertise and Samsung Analysis, have warned of a vulnerability that lets attackers break the safety supplied by Arm’s Reminiscence Tagging Extension (MTE) — rendering its safety successfully near zero in real-world testing.

“Arm Reminiscence Tagging Extension (MTE) is a brand new {hardware} characteristic launched in [the] ARMv8.5-A structure, aiming to detect reminiscence corruption vulnerabilities,” the researchers clarify. “The low overhead of MTE makes it a gorgeous answer to mitigate reminiscence corruption assaults in fashionable software program programs and is taken into account probably the most promising path ahead for enhancing C/C++ software program safety.”

Reminiscence tagging was initially developed as a instrument to have the ability to extra simply debug fashionable processors, however has since been adopted as a method of defending in opposition to reminiscence corruption unintentional or deliberate. It has the benefit of being appropriate with present software program, seeming capable of present related safety to rewriting initiatives in a memory-safe language equivalent to Rust — however, sadly, that safety seems to be illusory.

“This paper identifies new TikTag devices able to leaking the MTE tags from arbitrary reminiscence addresses by means of speculative execution,” the researchers clarify of their work, which leverages the identical core assault floor as notorious speculative execution vulnerabilities like Spectre. “With TikTag devices, attackers can bypass the probabilistic protection of MTE, rising the assault success fee by near 100%.”

That is not a theoretical declare, both: the researchers declare to have confirmed the assault in opposition to the Google Chrome browser and the Linux kernel, each operating on a Google Pixel 8 smartphone. “Experimental outcomes present that TikTag devices can efficiently leak an MTE tag with a hit fee larger than 95%,” the staff concludes, “in lower than 4 seconds.”

The researchers have proposed a collection of mitigations that might cut back the assault’s efficacy, together with the introduction of hypothesis limitations within the Linux kernel, an evaluation of the supply code and compiled binaries to detect and stop the development of TikTag devices, and the usage of hypothesis limitations and a speculative execution-aware sandbox within the browser.

The staff’s work has been revealed on Cornell’s arXiv preprint server. Arm has been notified of the staff’s findings, whereas Google has acknowledged that the failings of MTE on the Pixel 8 represents a confirmed {hardware} flaw — but additionally that it has no plans to patch Google Chrome in opposition to the assault, “as a result of,” the researchers relay, “the [Chrome] V8 sandbox is just not supposed to ensure the confidentiality of reminiscence knowledge and MTE tags.”