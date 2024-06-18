erek
Buncha bad spyware enablements lately anymore, “"Triangulation" infected dozens of iPhones belonging to employees of Moscow-based Kaspersky
Spyware craft is interesting, from NSO Group's Pegasus to Candiru "Kaspersky’s summary of the...”
“The authors have made their code available on GitHub. "When TikTag gadgets are speculatively executed, cache state differs depending on whether the gadgets trigger a tag check fault or not," the code repo explains. "Therefore, by observing the cache states, it is possible to leak the tag check results without raising any exceptions."
Access to leaked tags doesn't ensure exploitation. It simply means that an attacker capable of exploiting a particular memory bug on an affected device wouldn't be thwarted by MTE.
The researchers disclosed their findings to Arm, which acknowledged them in a developer notepublished in December 2023. The chip design firm said that timing differences in successful and failed tag checking can be enough to create an MTE speculative oracle – a mechanism to reveal MTE tags – in Cortex-X2, Cortex-X3, Cortex-A510, Cortex-A520, Cortex-A710, Cortex-A715, and Cortex-A720 processors.
However, Arm argues that the risk does not undermine the value of MTE, even as it urges the implementation of mechanisms to prevent speculative oracles. Mitigations that place speculation barriers and limit gadget construction could be implemented in Chromium and Linux kernel code, the authors suggest.
Google's Chrome team, the researchers say, acknowledged the issue but declined to fix it in Chrome's V8 engine because it "is not intended to guarantee the confidentiality of memory data and MTE tags." The authors observe that they somewhat agree since Chrome does not implement MTE by default, though they still would like to see their suggested mitigations deployed.
When the authors reported their work on MTE oracles in Pixel 8 devices to the Android Security Team in April 2024, they say the team acknowledged the issue, addressed it, and awarded a bug bounty.
Arm and Google did not immediately respond to requests for comment. ®”
Source: https://www.theregister.com/2024/06/18/arm_memory_tag_extensions_leak/
