A newly identified speculative execution attack named "TIKTAG" exploits ARM's Memory Tagging Extension (MTE) to leak data with a success rate exceeding 95%, allowing hackers to circumvent this security feature.
This discovery was detailed in a paper by researchers from Samsung, Seoul National University, and the Georgia Institute of Technology. They demonstrated the attack on Google Chrome and the Linux kernel.
MTE, introduced in ARM v8.5-A architecture and subsequent versions, aims to detect and prevent memory corruption. It utilizes low-overhead tagging by assigning 4-bit tags to 16-byte memory chunks to ensure that the tag in the pointer matches the accessed memory region.
MTE operates in three modes: synchronous, asynchronous, and asymmetric, to balance security and performance.
The researchers identified two gadgets, TIKTAG-v1 and TIKTAG-v2, which leverage speculative execution to leak MTE memory tags efficiently. While leaking these tags doesn't directly reveal sensitive information such as passwords or encryption keys, it can potentially weaken MTE's defenses, making systems vulnerable to covert memory corruption attacks.
TIKTAG-v1 exploits CPU behaviors such as branch prediction and data prefetching to leak MTE tags, particularly affecting the Linux kernel functions involving speculative memory accesses, though kernel pointer manipulation is necessary.
The attack involves using system calls to trigger the speculative execution path and measuring cache states to infer memory tags.
TIKTAG-v2 exploits speculative execution's store-to-load forwarding, where a value stored to a memory address is immediately loaded from the same address. If the tags match, the value is forwarded, altering the cache state; if not, forwarding is blocked, leaving the cache state unchanged.
By probing the cache state post-speculative execution, attackers can deduce the tag check results.
The effectiveness of TIKTAG-v2 was demonstrated against the Google Chrome browser's V8 JavaScript engine, potentially exposing memory corruption vulnerabilities in the renderer process.
The researchers reported their findings to the affected parties between November and December 2023, receiving generally positive feedback but no immediate fixes. Their technical paper on arxiv.org suggests several mitigations:
1. Modify hardware design to prevent speculative execution from altering cache states based on tag check results.
2. Insert speculation barriers (e.g., sb or isb instructions) to block speculative execution of critical memory operations.
3. Add padding instructions to extend the execution window between branch instructions and memory accesses.
4. Enhance sandboxing mechanisms to strictly limit speculative memory access paths within safe memory regions.
ARM acknowledged the seriousness of the situation but did not view it as a compromise of the feature, noting that allocation tags are not intended to be secrets within the address space.
Chrome's security team recognized the issues but chose not to address the vulnerabilities, citing that the V8 sandbox is not designed to ensure the confidentiality of memory data and MTE tags. Additionally, Chrome does not currently enable MTE-based defenses by default, making it a lower priority for immediate fixes.
The MTE vulnerabilities in the Pixel 8 device were reported to the Android security team in April 2024 and were acknowledged as a hardware flaw qualifying for a bounty reward.
