Security News New ARM 'TIKTAG' attack impacts Google Chrome, Linux systems

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/new-arm-tiktag-attack-impacts-google-chrome-linux-systems/

A new speculative execution attack named "TIKTAG" targets ARM's Memory Tagging Extension (MTE) to leak data with over a 95% chance of success, allowing hackers to bypass the security feature.

The paper, co-signed by a team of Korean researchers from Samsung, Seoul National University, and the Georgia Institute of Technology, demonstrates the attack against Google Chrome and the Linux kernel.

MTE is a feature added in the ARM v8.5-A architecture (and later), designed to detect and prevent memory corruption.

The system uses low-overhead tagging, assigning 4-bit tags to 16-byte memory chunks, to protect against memory corruption attacks by ensuring that the tag in the pointer matches the accessed memory region.

MTE has three operational modes: synchronous, asynchronous, and asymmetric, balancing security and performance.

The researchers found that by using two gadgets (code), namely TIKTAG-v1 and TIKTAG-v2, they can exploit speculative execution to leak MTE memory tags with a high success ratio and in a short time.

Leaking those tags does not directly expose sensitive data such as passwords, encryption keys, or personal information. However, it can theoretically allow attackers to undermine the protections provided by MTE, rendering the security system ineffective against stealthy memory corruption attacks.

New ARM 'TIKTAG' attack impacts Google Chrome, Linux systems

A new speculative execution attack named "TIKTAG" targets ARM's Memory Tagging Extension (MTE) to leak data with over a 95% chance of success, allowing hackers to bypass the security feature.

www.bleepingcomputer.com

 

[Vasudev]

Didn't most of them address it with ARM-v9 with MTE protection? Sounds bad for X Elite which are based on ARMv8.4. Hope it doesn't kill performance after memory and disk encryption are added by default

 

[Gandalf_The_Grey]

I don't thinks so, from the source article:

While ARM recognized the seriousness of the situation and published a bulletin a few months back, it does not consider this a compromise of the feature.

"As Allocation Tags are not expected to be a secret to software in the address space, a speculative mechanism that reveals the correct tag value is not considered a compromise of the principles of the architecture," reads the ARM bulletin.

Chrome's security team acknowledged the issues but decided not to fix the vulnerabilities because the V8 sandbox is not intended to guarantee the confidentiality of memory data and MTE tags.

Moreover, the Chrome browser does not currently enable MTE-based defenses by default, making it a lower priority for immediate fixes.

The MTE oracles in the Pixel 8 device were reported to the Android security team later, in April 2024, and were acknowledged as a hardware flaw qualifying for a bounty reward.

 

[Brahman]

https://arxiv.org/pdf/2406.08719