Title: New ‘TIKTAG’ Attack Targeting ARM Memory Tag Extension Revealed by South Korean Researchers
A Korean research team comprising experts from Samsung, Seoul National University, and Georgia Institute of Technology have recently uncovered a new type of attack named “TIKTAG” targeting ARM’s Memory Tag Extension (MTE). This attack allows hackers to bypass security measures, specifically targeting Google Chrome and Linux kernel systems, with a data leakage probability exceeding 95%.
The MTE is a feature introduced in the ARM v8.5-A architecture and higher versions to detect and prevent memory corruption. It uses a low-overhead tagging technology to assign 4-bit tags to 16-byte memory blocks, ensuring that the tag in the pointer matches the accessed memory region, thus thwarting memory corruption attacks. MTE operates in three modes – synchronous, asynchronous, and asymmetric – balancing security and performance considerations.
By utilizing two small tools, TIKTAG-v1 and TIKTAG-v2, researchers were able to exploit speculative execution to swiftly leak MTE memory tags, achieving a high success rate.
Although the leakage of these tags does not directly expose sensitive data such as passwords, encryption keys, or personal information, it theoretically enables attackers to undermine the protection offered by MTE, rendering security systems vulnerable to stealthy memory corruption attacks.
TIKTAG-v1 leverages CPU branch prediction and speculative shrunken data prefetch to leak MTE tags effectively. On the other hand, TIKTAG-v2 exploits the store-to-load forwarding behavior in speculative execution, effectively forwarding values that match the tag while halting the forwarding process if the tags do not match.
The research team demonstrated the efficacy of TIKTAG-v2 in attacking the Google Chrome browser, especially the V8 JavaScript engine, paving the way for exploiting memory corruption vulnerabilities in the rendering process.
Reporting their findings to affected companies between November and December 2023, researchers received a generally positive response. Mitigation measures against TIKTAG attacks were proposed in a technical paper published on arXiv.org.
While ARM acknowledges the severity of the situation, it does not see it as compromising the integrity of its functionalities, citing that revealing the correct tag values through speculative mechanisms does not violate architectural principles.
The security team of Chrome admits the existence of these vulnerabilities but currently has no plans to address them, stating that the purpose of the V8 sandbox is not to ensure the confidentiality of memory data and MTE tags. Additionally, Chrome does not prioritize fixing since it does not enable MTE-based defensive features by default.
MTE tagging in Pixel 8 devices was reported to the Android security team in April of this year and deemed a hardware bug eligible for a reward.
The TIKTAG attack sheds light on the evolving landscape of cybersecurity threats and the importance of continuous vigilance and innovation in safeguarding digital ecosystems against sophisticated attacks.