{"id":153,"date":"2025-09-02T09:39:30","date_gmt":"2025-09-02T09:39:30","guid":{"rendered":"https:\/\/haco.club\/?p=153"},"modified":"2025-09-03T08:58:18","modified_gmt":"2025-09-03T08:58:18","slug":"bypassing-arms-memory-tagging-extension-with-a-side-channel-attack","status":"publish","type":"post","link":"https:\/\/haco.club\/?p=153","title":{"rendered":"Bypassing ARM&#8217;s Memory Tagging Extension with a Side-Channel Attack"},"content":{"rendered":"\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Bypassing ARM&#039;s Memory Tagging Extension with a Side-Channel Attack\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/DoPb4mG-7TY?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>This explains a research project on how to bypass ARM&#8217;s Memory Tagging Extension (MTE), a hardware feature designed to prevent memory corruption vulnerabilities. Here are the key takeaways:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>ARM MTE:<\/strong> MTE works like a &#8220;lock and key&#8221; system. Pointers have a &#8220;key&#8221; (a 4-bit tag) and memory objects have a &#8220;lock&#8221; (also a 4-bit tag). If the key and lock don&#8217;t match when a pointer tries to access memory, the program will crash, preventing an attack.<\/li>\n\n\n\n<li><strong>The Challenge:<\/strong> The tags are randomly generated, making it difficult for an attacker to guess the correct tag to bypass MTE.<\/li>\n\n\n\n<li><strong>The Attack:<\/strong> The researchers discovered a side-channel attack that combines two CPU features:\n<ul class=\"wp-block-list\">\n<li><strong>Cache Side Channel:<\/strong> This allows an attacker to tell if a memory object has been accessed by measuring how long it takes to access it.<\/li>\n\n\n\n<li><strong>Speculative Execution:<\/strong> This is a CPU optimization where the processor predicts and executes instructions before they are actually needed. The key finding is that if a tag check fails during speculative execution, the program doesn&#8217;t crash immediately.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Putting it Together:<\/strong> By using these two features, the researchers were able to create &#8220;tag leakage gadgets&#8221; that leak the MTE tag without crashing the program. This allows them to bypass MTE and exploit memory corruption vulnerabilities.<\/li>\n\n\n\n<li><strong>Real-World Example:<\/strong> The video demonstrates a real-world attack on Google Chrome&#8217;s V8 engine, where they are able to leak the MTE tag of render memory and then exploit a heap overflow vulnerability.<\/li>\n\n\n\n<li><strong>Vendor Response:<\/strong> While ARM and Google acknowledge the issue, they still consider MTE a valuable security feature. The Chrome V8 team, however, has decided not to adopt MTE in their renderer due to these types of issues.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"547\" src=\"https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-3-1024x547.png\" alt=\"\" class=\"wp-image-155\" srcset=\"https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-3-1024x547.png 1024w, https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-3-300x160.png 300w, https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-3-768x410.png 768w, https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-3-1536x821.png 1536w, https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-3.png 1886w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"558\" src=\"https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-5-1024x558.png\" alt=\"\" class=\"wp-image-157\" srcset=\"https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-5-1024x558.png 1024w, https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-5-300x163.png 300w, https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-5-768x418.png 768w, https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-5-1536x837.png 1536w, https:\/\/haco.club\/wp-content\/uploads\/2025\/09\/image-5.png 1876w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><a href=\"https:\/\/www.computer.org\/csdl\/proceedings-article\/sp\/2025\/223600a039\/21B7QrWwN20\">https:\/\/www.computer.org\/csdl\/proceedings-article\/sp\/2025\/223600a039\/21B7QrWwN20<\/a><\/p>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>This explains a research project on how to bypass ARM&#8217;s [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[4,27,5,25,31],"class_list":["post-153","post","type-post","status-publish","format-standard","hentry","category-black-hat","tag-hardware","tag-microarchitecture","tag-security","tag-side-channel","tag-speculative-execution"],"_links":{"self":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=153"}],"version-history":[{"count":2,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/153\/revisions"}],"predecessor-version":[{"id":175,"href":"https:\/\/haco.club\/index.php?rest_route=\/wp\/v2\/posts\/153\/revisions\/175"}],"wp:attachment":[{"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/haco.club\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}