New ARM 'TIKTAG' attack impacts Google Chrome, Linux systems

A new speculative execution attack named "TIKTAG" targets ARM's Memory Tagging Extension, achieving over a 95% success rate in leaking data and bypassing this security feature. This attack, demonstrated by researchers from Samsung, Seoul National University, and the Georgia Institute of Technology, affects Google Chrome and the Linux kernel. MTE, introduced in ARM v8.5-A architecture, uses 4-bit tags on 16-byte memory chunks to prevent memory corruption, operating in three modes: synchronous, asynchronous, and asymmetric.

Security Officer Comments:
Researchers utilized two code gadgets, TIKTAG-v1 and TIKTAG-v2, to exploit speculative execution and leak MTE memory tags. TIKTAG-v1 exploits branch prediction and data prefetching behaviors to leak tags in the Linux kernel, requiring some manipulation of kernel pointers. TIKTAG-v2 uses store-to-load forwarding in speculative execution to leak tags in the Google Chrome browser, particularly the V8 JavaScript engine. Although leaking MTE tags doesn't expose sensitive data directly, it undermines MTE protections, making systems vulnerable to memory corruption attacks.

Suggested Corrections:
  • Modify hardware to prevent speculative execution from altering cache states based on tag checks.
  • Insert speculation barriers to prevent critical memory operations' speculative execution.
  • Add padding instructions to extend the execution window between branch instructions and memory accesses.
  • Enhance sandboxing mechanisms to restrict speculative memory access to safe regions