Network Security, Patch/Configuration Management

Speculative ‘TikTag’ vulnerability leaves ARM processors open to attack

Closeup of an intricate circuit board with glowing lights, representing the complex inner proportions and patterns in technology. The vibrant colors symbolize energy and data flow through connections

A newly detailed speculative attack vulnerability could leave devices using ARM CPUs more vulnerable to attack.

Dubbed "TikTag" by the team who discovered it, the flaw would potentially allow an attacker to access memory that would otherwise be protected through the CPU’s memory management tools.

According to the researchers, the key component of the attack is Memory Tagging Extensions, and on-tool designed to limit a process’s access to potentially sensitive memory addresses.

By assigning a "tag" to each 16-byte section of memory and then requiring that tag to access the connected address, MTE would ideally limit access to memory that would not be legitimately needed to perform at task.

This, in turn, would keep the attacker from probing sections of memory that could be prone to things such as use-after-free errors and buffer overflow attacks.

In the case of TikTag, MTE is prone to a speculative execution condition in which an attacker could flood the CPU with multiple requests and then, by observing how the CPU processes the instructions, potentially extract tags for the corresponding addresses.

This would give the attacker an end-run around MTE and the ability to then discover and execute other attacks that could potentially result in remote code execution or sensitive data disclosure.

A member of the team confirmed to CyberRisk Alliance that the issue was reported to ARM several months ago and the chip designer has been working with the researchers to get the flaw addressed and responsibly disclosed. The team member said that both hardware and software mitigations could potentially resolve the bug.

The team member also said it has been working with Google and found there are still a number of ways MTE can still be effective in guarding memory.

“Google believes that MTE is still a strong mitigation against one-shot or limited-shot exploits where attackers have no direct control over code execution on the target,” explained Juhee Kim, a researcher from Seoul National University who worked on the research.

Speculative execution vulnerabilities have increasingly become an area of focus for security research in recent years, most notably in the form of the Spectre and Meltdown vulnerabilities.

The low-level nature of the vulnerabilities can make them extremely difficult to properly address with anything short of basic changes to the chip design, thus making them a tempting target for attackers who possess the ability to properly access end execute the complex attack techniques.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.