A team of researchers from Seoul National University, Samsung Research, and Georgia Institute of Technology has identified speculative execution attacks capable of leaking Memory Tagging Extension (MTE) tags in ARM-based systems. The researchers, including Juhee Kim, Jinbum Park, Sihyeon Roh, Jaeyoung Chung, Youngjoo Lee, Taesoo Kim, and Byoungyoung Lee, discovered that new attack techniques—dubbed TIKTAG gadgets—exploit vulnerabilities in branch prediction, prefetching mechanisms, and store-to-load forwarding.

MTE Tags at Risk

Cybersecurity experts have demonstrated successful attacks against Google Chrome and the Linux kernel, achieving more than a 95% success rate in under four seconds when leaking MTE tags. These findings highlight significant concerns about speculative execution vulnerabilities in MTE security measures. The researchers have reported the issue to ARM, Google, and Android to ensure appropriate mitigation strategies are developed as MTE adoption grows.

Bypassing MTE Protections Through Speculative Execution

The study focused on attackers leveraging MTE, a security feature that assigns random tags to memory allocations and verifies them during memory accesses. By determining the tag linked to a specific memory address, attackers can evade MTE protections and exploit memory corruption vulnerabilities without triggering crashes.

The researchers introduced two speculative execution gadgets, TIKTAG-v1 and TIKTAG-v2, which manipulate microarchitectural behaviors related to tag checks, such as speculative execution, data prefetching, and store-to-load forwarding.

Real-World Exploitation of MTE Vulnerabilities

The attacks were successfully demonstrated in real-world environments:

• Google Chrome’s V8 JavaScript Engine: Using TIKTAG-v2, researchers leaked MTE tags and exploited linear overflow and use-after-free vulnerabilities with a success rate exceeding 97%.
• Linux Kernel: The TIKTAG-v1 gadget was able to leak MTE tags across user and kernel boundaries, bypassing MTE protections designed to prevent buffer overflows and use-after-free attacks, achieving a 97% effectiveness rate.

Mitigation Strategies

To defend against these attacks, researchers suggest hardware modifications that isolate vulnerable microarchitectural behaviors from tag verification processes. Additionally, software-based solutions, such as speculation barriers, could help prevent speculative execution from leaking sensitive memory tag information. Addressing speculative execution vulnerabilities is essential for ensuring the reliability of hardware-enforced security measures against increasingly sophisticated attacks.

Check out TimesWordle.com  for all the latest news