ARM Security Feature, which Safeguards Against Memory Corruption, can be Bypassed by Intruders
ARM Security Feature, which Safeguards Against Memory Corruption, can be Bypassed by Intruders
Synopsis: Experts were able to circumvent the new memory corruption defenses of ARM chips with an almost 100% success rate. Numerous cyberattacks, such as privilege escalation, arbitrary code execution, sensitive data breaches, or critical system damage, may result from the recently identified vulnerability.
ARM, a computer processor architecture with a reduced instruction set, dominates the mobile phone and tablet market. It is also the power source for numerous gadgets and is acquiring popularity in laptops and PCs.
Nevertheless, researchers from Samsung Research and Seul National University discovered that ARM could be susceptible to memory corruption, as the feature that protects against such flaws could be easily circumvented.
Memory Tagging Extension (MTE) is a hardware feature that was implemented in the ARM architecture to identify memory corruption vulnerabilities. MTE operates by designating distinctive tags to distinct memory regions and verifying that the tags correspond during memory access.
In less than four seconds, researchers were able to bypass MTE-based mitigations and disclose MTE tags with an accuracy rate of 95%.
The paper states that attackers have the ability to circumvent the probabilistic defense of MTE, which boosts the attack success rate by nearly 100%.
This does not imply the direct disclosure of sensitive data, such as encryption keys or passwords. In order to disable security measures, attackers would need to exploit exposed MTE tags. They would then execute arbitrary code by crafting a more sophisticated attack that leverages a memory compromise vulnerability.
The researchers demonstrated two techniques, TIKTAG-v1 and TIKTAG-v2, to illustrate the potential for real-world attacks against Chrome, Linux kernel, and Google Pixel 8.
The speculative execution attack, which is comparable to Spectre and Meltdown, exploits the processor’s speculative behaviors to disclose sensitive information. Attackers can attempt to manipulate the memory by injecting malicious code after deceiving the processor into releasing secret information from memory.
“There are numerous obstacles to launching real-world attacks using TIKTAG gadgets.” Initially, the attacker must either construct or locate TIKTAG devices from the target system in order to execute them in the target address space. Secondly, the researchers stated that the attacker should be able to observe and control the cache state in order to disclose the tag check results.
The Android Security Team recognized the issue as a hardware defect in Pixel 8 and resolved it by incorporating it into Android’s MTE-based defense. Additionally, they provided a bounty reward for providing the report.
Although ARM acknowledged that the CPU protection’s efficacy could be compromised, the chip designer “does not regard the risk of speculative oracles as a detriment to the value offered by Arm.”
“It is not anticipated that Arm MTE Allocation Tags will remain confidential.” Consequently, the company stated in a paper that a mechanism that discloses the correct tag value is not a compromise of the architecture’s principles.
Researchers suggested measures to enhance the protection of the chips and asserted that MTE-based protections remain an appealing solution for reducing memory corruption assaults.
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blog, he’s also written for brands including CollegeDunia, Utsav Fashion, and NASSCOM. Naager entered the field of content in an unusual way. He began his career as an insurance sales executive, where he developed an interest in simplifying difficult concepts. He also combines this interest with a love of narrative, which makes him a good writer in the cybersecurity field. In the bottom line, he frequently writes for Craw Security.
READ MORE ARTICLE HERE