Bypassing ARM's Memory Tagging Extension with a Side-Channel Attack

ARM Memory Tagging Extension (MTE) is a new hardware extension introduced in ARMv8.5-A architecture designed to detect memory corruption. Compared to previous mitigation techniques such as DEP, ASLR, and CFI, MTE can detect the root cause of memory corruption attacks. For this reason, MTE is considered the most promising path forward for improving C/C++ software security by many security experts, since its first adoption with Pixel 8 in October 2023.

In this talk, we show that despite high hopes, MTE is not yet the silver bullet for eliminating memory corruption attacks. Specifically, we introduce new exploitation techniques that leak the MTE tags through speculative execution. We demonstrate that the MTE-based protection in Google Chrome and the Linux kernel can be bypassed.

Our findings suggest that while MTE represents a significant advancement in memory safety, it is not yet safe against side-channel attacks, and further improvements are necessary to secure systems effectively.

By:
Juhee Kim | Ph.D. Student, Seoul National University
Jinbum Park | Samsung Research
Sihyeon Roh | Seoul National University
Jaeyoung Chung | Seoul National University
Youngjoo Lee | Seoul National University
Taesoo Kim | Samsung Research and Georgia Institute of Technology
Byoungyoung Lee | Seoul National University

Full Abstract and Presentation Materials:
https://www.blackhat.com/us-24/briefi...