ARM’s Memory Safety Tech Isn’t Bulletproof Against Speculative Execution

Table Of Links

Abstract

1. Introduction

2. Background

• Memory Tagging Extension
• Speculative Execution Attack

3. Threat Model

4. Finding Tag Leakage Gadgets

• Tag Leakage Template
• Tag Leakage Fuzzing

5. TIKTAG Gadgets

• TIKTAG-v1: Exploiting Speculation Shrinkage
• TIKTAG-v2: Exploiting Store-to-Load Forwarding

6. Real-World Attacks

6.1. Attacking Chrome

7. Evaluation

8. Related work

9. Conclusion And References

\

Background

2.1. Memory Tagging Extension

Memory Tagging Extension (MTE) [5] is a hardware extension to prevent memory corruption attacks, available since ARMv8.5-A architecture. MTE has been recently adopted by Pixel 8 [39] since October 2023. MTE assigns a 4-bit tag for each 16 bytes of memory and stores the tag in the unused upper bits of a pointer. During memory access, the tag in the pointer is checked against the tag assigned for the memory region. If the tags match, access is permitted; otherwise, the CPU raises a tag check fault (TCF). MTE offers three modes—synchronous, asynchronous, and asymmetric—to balance performance and security.

\ Synchronous mode provides the strongest security guarantee, where the tag check fault is synchronously raised at the faulting load/store instruction. Asynchronous mode offers the best performance, where the tag check fault is asynchronously raised at context switches. Asymmetric mode strikes a balance between performance and security, with load instructions operating in synchronous mode and store instructions in asynchronous mode. Based on MTE, various mitigation schemes can be developed. deterministic tagging assigns a globally known tag to each allocation.

\ This approach can deterministically isolate memory regions [32] or detect bounded spatial memory corruptions [22]. random tagging, on the other hand, assigns a random tag generated at allocation time. This approach probabilistically prevents spatial and temporal memory errors at per-allocation granularity, with a maximum detection rate of 15/16 (i.e., 1/16 chance of tag collision).

\ Unlike deterministic tagging, random tagging does not reveal the tag information to attackers, requiring them to guess the tag to exploit memory corruption vulnerabilities. Consequently, random tagging is commonly adopted in real-world allocators (e.g., Android Scudo allocator [3], Chrome PartitionAlloc [2]) and Linux Hardware Tag-Based KASAN [26].

\ 2.2. Speculative Execution Attack

A speculative execution attack is a class of attacks that exploit the CPU’s speculative behaviors to leak sensitive information [24, 30, 36, 41, 66–68, 71]. Spectre [30] and Meltdown [36] are well-known speculative execution attacks, where the attacker speculatively executes the victim code to load data that cannot be accessed during the normal execution (e.g., out-of-bounds access). If the speculatively loaded data affects the cache, the attacker can infer its value by observing the cache state (e.g., cache hit/miss based on access latency).

\ Such speculative information leakage typically requires two attacker’s capabilities:

i) controlling the cache state by flushing or evicting cache sets before the victim accesses the data, and

ii) measuring the time precisely enough to discern cache hits and misses. Recent studies have extended speculative execution attacks to bypass hardware security features such as Address Space Layout Randomization (ASLR) [18] and Pointer Authentication Code (PAC) [4].

Threat Model

We consider a threat model where the target system employs Memory Tagging Extension (MTE) [5] to prevent memory corruption. The allocator in the target system tags each allocation with a random tag, and the tag is checked on every memory access. We assume random tagging since it is architecturally designed to improve security [5] and commonly developed in real-world MTE-enabled systems (e.g., Android scudo allocator [3], Chrome PartitionAlloc [2], and Linux Hardware Tag-Based KASAN [26]).

\ We assume that the attacker possesses knowledge of the memory corruption vulnerabilities in the target system, and aims to exploit the vulnerabilities to gain unauthorized access to the system. From the attacker’s perspective, triggering the vulnerabilities imposes a high probability of crashing the target process with a tag check fault, which notifies the system administrator of the attack. We further detail the specific threat model in real-world attack scenarios (§6).

\

:::info Authors:

1. Juhee Kim
2. Jinbum Park
3. Sihyeon Roh
4. Jaeyoung Chung
5. Youngjoo Lee
6. Taesoo Kim
7. Byoungyoung Lee

:::

:::info This paper is available on arxiv under CC 4.0 license.

:::

\