June 18, 2024 at 12:36PM
Researchers have uncovered a new speculative execution attack targeting Arm CPUs’ Memory Tagging Extension (MTE), bypassing security measures. The attack, discovered by a team from Seoul National University, Samsung Research, and Georgia Tech, allows exploitation of memory corruption vulnerabilities for various malicious purposes. The researchers demonstrated its success against Chrome and Linux, releasing their TikTag gadgets to aid understanding of MTE side-channel issues. Arm has provided insight and perspective on MTE’s capabilities.
From the meeting notes, it is clear that a new speculative execution attack has been disclosed, targeting a hardware security feature present in Arm CPUs known as Memory Tagging Extension (MTE). The attack method was discovered by a team of researchers representing several institutions and was successfully demonstrated against the Chrome web browser and the Linux kernel. The researchers have open-sourced their findings to help others understand MTE side-channel issues.
In response to this research, Arm has clarified that while MTE provides some defenses against specific classes of exploits, it is not designed to be a full solution against an interactive adversary. They also emphasized that the speculative mechanism revealing the correct tag value is not considered a compromise of the architectural principles.
Additionally, the notes provide related information about warnings from Arm regarding exploited kernel driver vulnerability, future vulnerability of Intel, AMD, and Arm CPUs to a new ‘SLAM’ attack, and the patching of an exploited Arm GPU vulnerability in Android’s June 2023 Security update.