Adrian Johnson
TLDR:
- ARM’s Memory Tagging Extension (MTE) aims to mitigate memory corruption attacks
- Researchers found speculative execution attacks can leak MTE tags via TIKTAG gadgets
Security researchers have discovered a new ARM ‘TIKTAG’ attack that impacts Google Chrome and Linux systems. This attack targets systems with Memory Tagging Extension (MTE) and uses random tags for memory allocations and tag checks on every memory access. The researchers identified speculative execution attacks that can leak MTE tags through TIKTAG gadgets exploiting branch prediction, prefetchers, and store-to-load forwarding. Real-world attacks were developed against Chrome and Linux kernel, showing over 95% success in less than 4 seconds. The findings highlight the need to consider speculative execution vulnerabilities in designing MTE mitigations. This information has been reported to ARM, Google, and Android for further action.
Key Points:
- Attack targets systems with Memory Tagging Extension (MTE)
- Real-world attacks show over 95% success rate in less than 4 seconds
Security analysts have proposed various mitigations to address these attacks, such as hardware changes to separate microarchitectural behaviors from tag checks, speculation barriers, and avoiding gadget patterns. As MTE adoption grows, understanding these issues is crucial for secure deployment. The TIKTAG attack underscores the importance of considering speculative execution in creating hardware-enforced security mechanisms.
