New research has detailed a novel way to bypass a security feature built into ARM chips.
A team of cybersecurity researchers from Samsung, Seoul National University, and the Georgia Institute of Technology, named the new approach “TIKTAG”, since it works around the Memory Tagging Extension (MTE) tool.
Apparently, the success rate of the method is 95%, and it works rather quickly. The researchers were successful on both Linux and Chrome kernels, it was added.
High success rate
Memory Tagging Extension (MTE) is a hardware security feature designed to improve memory safety by detecting and preventing common types of memory-related errors in software (think buffer overflows, use-after-free, and similar).
It was introduced in ARM v8.5-A, and is apparently quite relevant for operating systems, browsers, and other large applications where memory safety bugs can result in data leakage.
It works by assigning small tags to memory chunks. By making sure the tag matches the accessed memory region, MTE essentially protects against memory corruption. However, through speculative execution, the researchers managed to leak MTE memory tags, with quite a good success rate, too.
The team reported their findings to ARM and Google in late 2023 and, according to BleepingComputer, received positive responses but no immediate fixes.
"As Allocation Tags are not expected to be a secret to software in the address space, a speculative mechanism that reveals the correct tag value is not considered a compromise of the principles of the architecture," ARM said. Google said something in a similar vein, stating that the V8 sandbox never guaranteed the confidentiality of memory data and MTE tags.
The research paper suggests a series of mitigations, which include modifying hardware design, inserting speculation barriers, adding padding instructions, and more. You can read the full list on this link.
More from TechRadar Pro
- ARM warns Mali GPUs are being attacked — so patch now
- Here's a list of the best firewalls today
- These are the best endpoint protection tools right now