Bypassing ARM's Memory Tagging Extension with a Side-Channel Attack скачать в хорошем качестве

Bypassing ARM's Memory Tagging Extension with a Side-Channel Attack

ARM Memory Tagging Extension (MTE) is a new hardware extension introduced in ARMv8.5-A architecture designed to detect memory corruption. Compared to previous mitigation techniques such as DEP, ASLR, and CFI, MTE can detect the root cause of memory corruption attacks. For this reason, MTE is considered the most promising path forward for improving C/C++ software security by many security experts, since its first adoption with Pixel 8 in October 2023. In this talk, we show that despite high hopes, MTE is not yet the silver bullet for eliminating memory corruption attacks. Specifically, we introduce new exploitation techniques that leak the MTE tags through speculative execution. We demonstrate that the MTE-based protection in Google Chrome and the Linux kernel can be bypassed. Our findings suggest that while MTE represents a significant advancement in memory safety, it is not yet safe against side-channel attacks, and further improvements are necessary to secure systems effectively. By: Juhee Kim | Ph.D. Student, Seoul National University Jinbum Park | Samsung Research Sihyeon Roh | Seoul National University Jaeyoung Chung | Seoul National University Youngjoo Lee | Seoul National University Taesoo Kim | Samsung Research and Georgia Institute of Technology Byoungyoung Lee | Seoul National University Full Abstract and Presentation Materials: https://www.blackhat.com/us-24/briefi...