A Promising ARM Security Feature Isn’t as Bulletproof as It Looks

:::info Authors:

1. Juhee Kim
2. Jinbum Park
3. Sihyeon Roh
4. Jaeyoung Chung
5. Youngjoo Lee
6. Taesoo Kim
7. Byoungyoung Lee

:::

Table Of Links

Abstract

1. Introduction

2. Background

• Memory Tagging Extension
• Speculative Execution Attack

3. Threat Model

4. Finding Tag Leakage Gadgets

• Tag Leakage Template
• Tag Leakage Fuzzing

5. TIKTAG Gadgets

• TIKTAG-v1: Exploiting Speculation Shrinkage
• TIKTAG-v2: Exploiting Store-to-Load Forwarding

6. Real-World Attacks

6.1. Attacking Chrome

7. Evaluation

8. Related work

9. Conclusion And References

Abstract

ARM Memory Tagging Extension (MTE) is a new hardware feature introduced in ARMv8.5-A architecture, aiming to detect memory corruption vulnerabilities. The low overhead of MTE makes it an attractive solution to mitigate memory corruption attacks in modern software systems and is considered the most promising path forward for improving C/C++ software security. This paper explores the potential security risks posed by speculative execution attacks against MTE.

\ Specifically, this paper identifies new TIKTAG gadgets capable of leaking the MTE tags from arbitrary memory addresses through speculative execution. With TIKTAG gadgets, attackers can bypass the probabilistic defense of MTE, increasing the attack success rate by close to 100%. We demonstrate that TIKTAG gadgets can be used to bypass MTE-based mitigations in real-world systems, Google Chrome and the Linux kernel.

\ Experimental results show that TIKTAG gadgets can successfully leak an MTE tag with a success rate higher than 95% in less than 4 seconds. We further propose new defense mechanisms to mitigate the security risks posed by TIKTAG gadgets.

Introduction

Memory corruption vulnerabilities present significant security threats to computing systems. Exploiting a memory corruption vulnerability, an attacker corrupts the data stored in a memory, hijacking the control flow or crafting the data of the victim. Such exploitation allows the attacker to execute arbitrary code, escalate its privilege, or leak security-sensitive data, critically harming the security of the computing system.

\ In response to these threats, ARM Memory Tagging Extension (MTE) has recently been proposed since ARMv8.5- A architecture, which is a new hardware extension to mitigate memory corruption attacks. Technically, MTE provides two hardware primitive operations, (i) tag and (ii) tag check. A tag operation assigns a tag to a memory location (i.e., a 4-bit tag to each 16-byte memory).

\ Then a tag check operation is performed when accessing the memory, which compares two tags, one embedded within the pointer to access the memory and the other associated with the memory location to-be-accessed. If these two tags are the same, the access is allowed. Otherwise, the CPU raises a fault.

\ Using MTE, various mitigation techniques can be developed depending on which tag is assigned or which memory regions are tagged. For instance, MTE-supported memory allocators, such as Android Scudo [3] and Chrome PartitionAlloc [2], assign a random tag for all dynamically allocated memory. Specifically, a memory allocator is modified to assign a random tag for each allocation.

\ Then, a pointer to this allocated memory embeds the tag, and as the pointer is propagated, the tag is accordingly propagated together. When any dynamically allocated memory is accessed, a tag check operation is enforced. As the tags are randomly assigned at runtime, it is difficult for the attacker to correctly guess the tag. Thus tag check operation would statistically detect memory corruptions.

\ MTE introduces significant challenges for attackers to exploit the memory corruption vulnerability. This is because MTE-based solutions detect a violation behavior close to the root cause of spatial and temporal memory corruptions. Specifically, since MTE ensures that the relationship between a pointer and a memory location is not corrupted, it promptly detects the corruptions—i.e., MTE promptly detects the moment when out-of-bounds access takes place in a heap-overflow vulnerability or when a dangling pointer is dereferenced in use-after-free.

\ This offers strong security advantages to MTE, particularly compared to popular mitigation techniques such as CFI [6, 52, 62], which does not detect memory corruption but detects control-flow hijack behavior (i.e., an exploitation behavior). For these reasons, MTE is considered the most promising path forward for improving C/C++ software security by many security experts [11, 47], since its first adoption with the Pixel 8 device in October 2023.

\ In this paper, we study if MTE provides the security assurance as it is promised. In particular, we analyzed if speculative execution attacks can be a security threat to breaking MTE. To summarize our results, we found that speculative execution attacks are indeed possible against MTE, which severely harms the security assurance of MTE. We discovered two new gadgets, named TIKTAG-v1 and TIKTAG-v2, which can leak the MTE tag of an arbitrary memory address.

\ Specifically, TIKTAG-v1 exploits the speculation shrinkage of the branch prediction and data prefetchers, and TIKTAGv2 exploits the store-to-load forwarding behavior. To demonstrate the exploitability of real-world MTEbased mitigations, we developed two real-world attacks having distinctive attack surfaces: Google Chrome and the Linux kernel. Our evaluation results show that TIKTAG gadgets can leak MTE tags with a success rate higher than 95% in less than 4 seconds.

\ We further propose mitigation schemes to prevent the exploitation of TIKTAG gadgets while retaining the benefits of using MTE. Compared to the previous works on MTE sidechannels [22, 38], we think this paper makes unique contributions for the following reasons. First, Project Zero at Google reported that they were not able to find speculative tag leakage from the MTE mechanisms [38]. They concluded that speculative MTE check results do not induce distinguishable cache state differences between the tag check success and failure.

\ In contrast, we found that tag checks indeed generate the cache state difference in speculative execution. Another independent work, StickyTags [22], discovered an MTE tag leakage gadget, which is one example of the TIKTAG-v1 gadget, and suspected that the root cause is in the memory contention on spurious tag check faults. On the contrary, this paper performed an in-depth analysis, which identified that the speculation shrinkage in branch prediction and data prefetchers are the root cause of the TIKTAG-v1 gadget.

\ This paper additionally reports new MTE tag leakage gadgets, specifically the variants of TIKTAGv1 gadget and the new TIKTAG-v2 gadget, along with developing exploitation against Chrome and the Linux kernel. Furthermore, this paper proposes new defense mechanisms to prevent TIKTAG gadgets from leaking MTE tags, both at hardware and software levels. At the time of writing, MTE is still in the early stages of adoption.

\ Considering its strong security advantage, it is expected that a large number of MTE-based mitigations (e.g., sensitive data protection [29, 31] and data-flow integrity [13, 40, 60]) is expected to be deployed in the near future on MTE-supporting devices (e.g., Android mobile phones).

\ As such, the results of this paper, particularly in how TIKTAG gadgets are constructed and how MTE tags can be leaked, shed light on how MTE-based solutions should be designed or how CPU should be implemented at a microarchitectural level. We have open-sourced TIKTAG gadgets at https://github.com/compsec-snu/tiktag to help the community understand the MTE side-channel issues.

\ ==Responsible Disclosure.== We reported MTE tag leakage gadgets to ARM in November 2023. ARM acknowledged and publicly disclosed the issue in December 2023 [34]. Another research group reported a similar issue to ARM and published their findings [22], which were conducted independently from our work.

\ We reported the speculative vulnerabilities in Google Chrome V8 to the Chrome Security Team in December 2023. They acknowledged the issues but decided not to fix the vulnerabilities because the V8 sandbox is not intended to guarantee the confidentiality of memory data and MTE tags. Since the Chrome browser currently does not enable its MTE-based defense by default, we agree with their decision to some extent.

\ However, we think that browser security can be improved if MTE-based defenses are deployed with the countermeasures we suggest (§6.1.4). We also reported the MTE oracles in the Pixel 8 device to the Android Security Team in April 2024. Android Security Team acknowledged the issue as a hardware flaw of Pixel 8, decided to address the issue in Android’s MTE-based defense, and awarded a bounty reward for the report.

\

:::info This paper is available on arxiv under CC 4.0 license.

:::

\