Recently, a team of Korean researchers from Samsung, Seoul National University, and Georgia Institute of Technology have tested a new speculative execution attack called TIKTAG. Quite surprisingly, this specially designed attack targets ARM’s Memory Tagging Extension allowing data leakage with a success rate higher than 95%. The practical implications of this discovery are significant as it enables hackers to bypass key protection mechanisms against memory corruption.
Understanding ARM’s memory tagging extension
Integrated as a base option with the ARM v8. Specifically, 5-A architecture, MTE is an enhancement in dealing with the memory corruption problem, which is one of the biggest categories of security issues. Lower overhead tagging is used in MTE with tags in the size of four bits allocated to 16-byte memory blocks. This mechanism helps in ascertaining that the pointer attached to a tag asserts to the tag of the memory region being accessed hence reducing cases of unauthorized memory access and abuse.
MTE, as indicated earlier, exists in three categories namely; synchronous, asynchronous as well as asymmetric and each comes with balanced type of security and performance. Still, the TIKTAG attack highlights system vulnerabilities, showing even top-level protection can be defeated.
The researchers observed two main programs with high efficiency and speed, including TIKTAG-v1 and TIKTAG-v2, which targeted speculation execution to leak MTE memory tags.
TIKTAG-v1: branch prediction and data prefetching
The features used in TIKTAG-v1 include the speculation shrinkage in branch prediction and the data prefetching of the CPU. This gadget has been resistive to the Linux kernel especially in the functions that involve memory speculations. Malicious code alters kernel pointers and uses cache side channels through system call function calls; they then access and measure the states of a cache to obtain memory tags.
TIKTAG-v2: store-to-load forwarding
TIKTAG-v2 focuses on the store-to-load forwarding in timing speculation of the processor. The first step is storing the value to a memory address and loading it from the same address simultaneously. The value is passed to the next tag, successfully loading and changing the shared cache state. On the other hand, a mismatch prevents the forwarding, the cache state remains in the same state. If attackers examine cache state after speculative execution, they can deduce tag check outcome.
TIKTAG-v2 was proved to be effective against the target vulnerable process – the Google Chrome browser, with an emphasis on the parts including the V8 JavaScript engine: the exploitation of memory corruption vulnerabilities in the renderer process has been shown here in this paper as well.
Implications and industry response
The leakage of MTE tags is not tied to the leakage of passwords, encryption keys, etc. However, it effectively weakens the security that MTE claims to offer. Therefore, enabling memory corruption attacks that are surreptitious in nature. The field research ended in November and December 2023, with the team submitting findings to the entities. While the general reception has been quite positive, there were no quick Band-Aids immediately applied.
In a technical paper deposited on a repository known as arxiv.org, the researchers suggested several mitigations to counter TIKTAG attacks. First, do not allow speculation to modify cache states after the tag check is done. Second, enclosing speculation barriers (‘sb’ or ‘isb’ instructions) helps prevent executing sensitive memory procedures. Third, pad for additional time between branch instructions and memory accesses with padding instructions. Finally, enhance the sandboxing strategies to limit the constructiveness proactively of AMAs in sensible memory spaces as securely as possible.
ARM and Chrome’s responses
ARM understood that the TIKTAG attack was very strong and then pointed out that it is still safe to disclose the tags for allocation at the architecture level using speculative methods. Their bulletin stressed that allocation tags are not covert in the address space.
On the other hand, Google Chrome’s security team pointed out these issues but chose not to fix them and noted that the V8 sandbox does not keep memory data and MTE tags secret. Also, as of now, Chrome does not have MTE-based defenses enabled, so fixing the bugs is not urgent.
Although the Pixel 8 device MTE oracles mechanism was later disclosed to the Google Android security team in April 2024 and confirmed as a hardware issue that qualified for a bounty. The attacks could not have been possible without exploitation of the Pixel 8 device’s boot and recovery images.