Arm MTE and Speculative Oracles
3 days ago
- #Memory Safety
- #Hardware Security
- #Speculative Execution
- Arm's Memory Tagging Extension (MTE) is designed to mitigate memory safety bugs by tagging memory granules and pointers, causing faults on mismatched accesses.
- MTE provides probabilistic security guarantees, making it harder but not impossible for attackers to exploit memory safety bugs due to the 4-bit tag space.
- Recent research (TikTag, Sticky Tags) demonstrates speculative execution attacks can leak MTE tags, using the L1D cache as a side channel.
- Arm acknowledges MTE's tags aren't secret within the address space, thus speculative leaks don't compromise the architecture's principles.
- Speculative execution of faulting instructions (like MTE tag checks) can create oracles, revealing whether a fault occurred through side channels.
- Implementations face a trade-off: cancel speculation to prevent data leaks (but reveal fault existence) or allow speculation (risking data leaks).
- Similar speculative oracles could leak information in other contexts, like page faults revealing memory layout or pointer authentication checks.