A group of researchers from Samsung revealed an ARM vulnerability, code-named Tiktag. This vulnerability affects the hardware protection mechanism MEMTAG (MTE, Memory Tagging Extension) found in chips based on the ARMV8.5-A architecture. The Tiktag vulnerability allows malicious actors to determine the contents of Tiktag tags for various memory addresses by exploiting data leaks resulting from the speculative execution of CPU instructions.
Memtag technology enables the tagging of memory and facilitates the verification of correct pointer use to prevent vulnerabilities like accessing previously released memory blocks, buffer overflows, premature initialization, and out-of-context usage. With Memtag, a 4-bit tag is assigned to every 16 bytes of physical memory, acting as a type of key for memory access. Application-generated tags are attached to memory areas using specific CPU instructions and stored in the upper bits of the pointer. The processor verifies tag compatibility when accessing memory through tagged pointers, permitting access only if the tags match.
The researchers demonstrated a method to bypass Memtag protection by determining the tags associated with memory blocks. They showed how this attack could be executed during the exploitation of vulnerabilities in the Linux kernel and the Chrome browser, utilizing specific instruction sequences (gadgets) present in these software products to trigger speculative code execution. These gadgets, when running in speculative code and interacting with pointers, result in reading Memtag metadata based on external factors influenced by the attacker. Although the speculative execution outcome is discarded once the incorrect speculation is identified, the collected data remains in the cache and can be extracted through third-party analysis channels. The researchers estimate a 95% success rate in bypassing MEMTAG protection within approximately 4 seconds during their conducted tests.