Arm Memory Tag Extensions broken by speculative execution

In 2018, chip designer Arm introduced a hardware security feature called Memory Tagging Extensions (MTE) as a defense against memory safety bugs. But it may not be as effective as first hoped.

Implemented and supported last year in Google’s Pixel 8 and Pixel 8 Pro phones and previously in Linux, MTE aims to help detect memory safety violations, as well as hardening devices against attacks that attempt to exploit memory safety flaws.

[…]

MTE works by tagging blocks of physical memory with metadata. This metadata serves as a key that permits access. When a pointer references data within a tagged block of memory, the hardware checks to make sure the pointer contains a key matching that of the memory block to gain access to the data. A mismatch throws out an error.

Tag, you’re IT

Diving deeper, when MTE is active, programs can use special instructions to tag 16-byte blocks of physical memory with a 4-bit key. For example, when allocating a chunk of memory from the heap, that chunk (aligned and rounded to 16 bytes) can be tagged with the same 4-bit key, and a pointer to that chunk is generated containing the key in its upper unused bits.

When the program uses that pointer in future, referencing some part of the block, everything works fine. The pointer still contains the correct key. But if the block is freed and its key is changed, subsequent use of that stale pointer will trigger a fault by the processor, due to a mismatching key, which indicates a programming bug or a vulnerability exploit attempt, both of which you want to catch.

And if the program is hijacked via some other vulnerability, and the code is made to reference a tagged block without the right key in the pointer, that will also be caught.

[…]

Unfortunately, MTE appears to be insufficiently secure to fulfill its security promises. Researchers affiliated with Seoul National University in South Korea, Samsung Research, and Georgia Institute of Technology in the US have found that they can break MTE through speculative execution.

The authors – Juhee Kim, Jinbum Park, Sihyeon Roh, Jaeyoung Chung, Youngjoo Lee, Taesoo Kim, and Byoungyoung Lee – say as much in their research paper, “TikTag: Breaking Arm’s Memory Tagging Extension with Speculative Execution.”

Having looked at MTE to assess whether it provides the claimed security benefit, the boffins say it does not. Instead, they found they could extract MTE tags in under four seconds around 95 per cent of the time.

“[W]e found that speculative execution attacks are indeed possible against MTE, which severely harms the security assurance of MTE,” the authors report. “We discovered two new gadgets, named TIKTAG-v1 and TIKTAG-v2, which can leak the MTE tag of an arbitrary memory address.”

[…]

The authors say that their research expands on prior work from May 2024 that found MTE vulnerable to speculative probing. What’s more, they contend their findings challenge work by Google’s Project Zero that found no side-channel attack capable of breaking MTE.

Using proof-of-concept code, MTE tags were ferreted out of Google Chrome on Android and the Linux kernel using this technique, with a success rate that exceeded 95 percent in less than four seconds, it’s claimed.

The authors have made their code available on GitHub. “When TikTag gadgets are speculatively executed, cache state differs depending on whether the gadgets trigger a tag check fault or not,” the code repo explains. “Therefore, by observing the cache states, it is possible to leak the tag check results without raising any exceptions.”

Access to leaked tags doesn’t ensure exploitation. It simply means that an attacker capable of exploiting a particular memory bug on an affected device wouldn’t be thwarted by MTE.

The researchers disclosed their findings to Arm, which acknowledged them in a developer note published in December 2023. The chip design firm said that timing differences in successful and failed tag checking can be enough to create an MTE speculative oracle – a mechanism to reveal MTE tags – in Cortex-X2, Cortex-X3, Cortex-A510, Cortex-A520, Cortex-A710, Cortex-A715, and Cortex-A720 processors.

[…]

Source: Arm Memory Tag Extensions broken by speculative execution • The Register

Robin Edgar

Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft

 robin@edgarbv.com  https://www.edgarbv.com