Bypassing ARM's Memory Tagging Extension with a Side-Channel Attack
Unknown
Black Hat USA 2024 · Day 1 · Briefing
ARM's Memory Tagging Extension (MTE) has been hailed as a transformative hardware-based defense against memory corruption attacks, promising to revolutionize software security with its speed and compatibility. Introduced last year and prominently featured in devices like the Google Pixel 8 and 8 Pro, MTE employs a novel "lock and key" mechanism, assigning a unique, random 4-bit tag to both memory objects and the pointers accessing them. This ensures that only a pointer with a matching tag can successfully interact with a memory location, otherwise triggering a tag check fault that crashes the program. The security community, including tech giants like Google and Microsoft, has largely anticipated MTE to be a "game changer."