Attackers can bypass ARM security feature protecting from memory corruption

With a success rate of nearly 100%, researchers were able to bypass new ARM chip defenses against memory corruption. The discovered flaw can lead to many cyberattacks, including privilege escalation, arbitrary code execution, sensitive data leaks, or critical system damage.

ARM, a computer processor architecture with a reduced instruction set, dominates the mobile phone and tablet market, powers many gadgets, and is increasingly gaining popularity in laptops and PCs.

However, researchers from Seul National University and Samsung Research discovered that ARM could be vulnerable to memory corruption, as the feature guarding against such vulnerabilities could be easily bypassed.

Memory Tagging Extension (MTE) is a hardware feature introduced in the ARM architecture to detect memory corruption vulnerabilities. MTE works by assigning unique tags to different memory regions and checking if the tags match during memory access.

Researchers were able to leak MTE tags with a success rate of 95% in less than 4 seconds, bypassing MTE-based mitigations.

“Attackers can bypass the probabilistic defense of MTE, increasing the attack success rate by close to 100%,” the paper reads.

This does not mean the direct leakage of sensitive data such as passwords or encryption keys. Attackers would need to exploit leaked MTE tags to disable security measures and then implement an actual attack using a memory compromise vulnerability – craft a more sophisticated attack to execute arbitrary code.

Researchers demonstrated two techniques, TIKTAG-v1 and TIKTAG-v2, to show how real-world attacks could occur against Chrome, Linux kernel, and Google Pixel 8.

The attack exploits the processor’s speculative behaviors to leak sensitive information in a so-called speculative execution attack, similar to Spectre and Meltdown. By tricking the processor into leaking secret information from memory, attackers can then try to manipulate the memory by injecting malicious code.

“There are several challenges to launching real-world attacks using TIKTAG gadgets. First, TIKTAG gadgets should be executed in the target address space, requiring the attacker to construct or find gadgets from the target system. Second, the attacker should control and observe the cache state to leak the tag check results,” researchers said.

The Android Security Team acknowledged the issue as a hardware flaw of Pixel 8, decided to address it in Android’s MTE-based defense, and awarded a bounty reward for the report.

While ARM admitted that the effectiveness of the CPU protection could be hindered, the chip designer “does not consider the risk of speculative oracles a detriment to the value offered by Arm.”

“Arm MTE Allocation Tags are not expected to be a secret. Therefore, a mechanism that reveals the correct tag value is not a compromise of the principles of the architecture,” the company said in a paper.

Researchers proposed measures to protect the chips better and claimed that MTE-based protections are still an attractive solution to mitigate memory corruption attacks.

More from Cybernews:

Santander US reveals employee bank account details stolen

London hospital attackers started leaking blood test data

US bans Kaspersky for posing ‘significant risk’

Anthropic’s updated mid-size AI model claims the crown

Wordle today #1,098 daily hints: June 21st, 2024

Subscribe to our newsletter