June 16, 2024 at 10:14PM
The TIKTAG attack exploits ARM’s Memory Tagging Extension (MTE) to leak data with over 95% success. Researchers from Samsung, Seoul National University, and Georgia Tech demonstrated the attack against Google Chrome and the Linux kernel. MTE, designed to prevent memory corruption, is susceptible to TIKTAG-v1 and TIKTAG-v2 gadgets. Mitigations are proposed, but immediate fixes are pending.
Key takeaways from the meeting notes:
1. A new speculative execution attack named “TIKTAG” has been discovered, targeting ARM’s Memory Tagging Extension (MTE) and has a success rate of over 95%. The attack allows hackers to bypass the security feature and was demonstrated against Google Chrome and the Linux kernel.
2. MTE is a security feature added in the ARM v8.5-A architecture to detect and prevent memory corruption. It uses low-overhead tagging to protect against memory corruption attacks.
3. The researchers found that by using two gadgets (code), TIKTAG-v1 and TIKTAG-v2, they can exploit speculative execution to leak MTE memory tags with a high success ratio and in a short time.
4. Leaking the MTE tags does not directly expose sensitive data. However, it can allow attackers to undermine the protections provided by MTE, rendering the security system ineffective against stealthy memory corruption attacks.
5. The researchers have proposed mitigations against TIKTAG attacks, including modifying hardware design, inserting speculation barriers, adding padding instructions, and enhancing sandboxing mechanisms.
6. The response from impacted entities, such as ARM and Chrome’s security team, varied. While ARM recognized the seriousness of the situation, it does not consider the issue a compromise of the feature. Chrome’s security team acknowledged the issues but decided not to fix the vulnerabilities, stating that the V8 sandbox is not intended to guarantee the confidentiality of memory data and MTE tags.
7. The MTE oracles in the Pixel 8 device were reported to the Android security team and were acknowledged as a hardware flaw qualifying for a bounty reward.
Let me know if you need further clarification or additional information.