This publication provides a translation of the whitepaper of the new Armv8.5-A: Memory Tagging Extension (MTE) from ARM. MTE seeks to increase the security of code written in unsafe languages without requiring changes to the source code, and in some cases, without requiring recompilation. Simple deployment of mechanisms to detect and prevent the consequences of memory security violations can prevent the exploitation of a large class of vulnerabilities.
Introduction
In 1988, the Internet worm crashed a tenth of the network that was still in its infancy, and the remaining part slowed down significantly ( The Morris Worm ). More than thirty years later, two classes of memory vulnerabilities remain relevant and important for code written in a C-like programming language. According to the 2019 BlueHat presentation , 70% of all security issues resolved in Microsoft products are caused by memory security breaches. Similar data was obtained by Google for Android : more than 75% of vulnerabilities are violations of memory security. Although many of these violations would not have been possible in more modern safe languages, the base of code written in C and C ++ is very extensive. Debian Linux alonecontains over half a billion lines .
Memory security violations fall into two main categories: spatial security and temporary security. Exploitation of violations of the first type are usually intended for:
- malicious payload delivery;
- gaining control over the system (in a chain with other types of vulnerabilities);
- organization of leakage of privileged information.
A violation of spatial security occurs when an appeal to an object goes beyond its true boundaries. For example: buffer overflow on the stack, which can allow rewriting the return address from the function, which in turn can form the basis of several types of attacks.
́ , , , , . , , , .
MTE . MTE , . . MTE , . ( ) .
MTE , , . .
MTE , . (legacy) MTE .
MTE . MTE , . MTE MTE , Branch Target Identification (BTI) Pointer Authentication Code (PAC), , , .
MTE
Memory Tagging Extension "-" (lock & key). (lock) . ( ), . ( ) .
16 . (Tag Granule). (lock).
(, , ) , .
, ́ , MTE Top Byte Ignore (TBI) Armv8-A. TBI , . . MTE .
"-" :
MTE , . ( 4), , . , , , , , , .
MTE - . , , 100%.
, Memory Tagging Extension Armv8-A. , :
- Architectural Details
- Deploying MTE at Scale
- Deploying MTE in Hardware
- Deploying MTE in Software
- Optimizing for MTE
, Google MTE Android (Arm). /, .
a13xp0p0vand its excellent publication , CVE-2019-18683: Exploiting a Vulnerability in the Linux V4L2 Subsystem , which sparked interest in the MTE engine .