Memory safety has been a major source of security vulnerabilities for decades. Today, software vendors report that vulnerabilities due to violations of memory safety account for most of the security issues in their products. This is supported by the research. According to a 2019 BlueHat presentation, 70 percent of all security issues addressed in Microsoft products are caused by violations of memory safety. Similar figures have been reported by Google for Android where over 75 percent of vulnerabilities are violations of memory safety.
There are several software mitigation techniques targeting memory safety, such as ASan and HWSAN. However, these can be costly in terms of both performance and battery life, making them unsuitable for widespread deployment. Arm’s Armv8.5-A Memory Tagging Extension (MTE) addresses these challenges, bringing a performant and scalable hardware solution that reduces the exploitability of memory safety violations that might be present in code written in unsafe languages.
Only recently, Google announced that it is adopting Arm’s MTE in Android. This is exciting news, with Google showing its continued commitment to security in the Android ecosystem. It also shows the strength of our MTE offering, with the article stating that the technology makes “it very hard to exploit memory bugs.” Alongside the security benefits, the disruption caused by not addressing memory safety bugs reduces user satisfaction and increases the cost of software development. With all these threats to the Android Ecosystem, you can understand why Google has made the commitment to MTE!
There are two main types of memory safety violations: spatial and temporal safety. MTE provides the mechanism to detect both types in production code with no instrumentation.
Spatial safety is violated when an object is accessed outside of its true bounds. For example, when data is written beyond the buffer or other object. This may be exploited to alter the target address of a function pointer, saved register, or similar.
Temporal safety is violated when a reference to an object is used after it has expired typically after the object’s memory has been freed – exploiting an existing “use after free” bug. Using knowledge of the allocator, an attacker can place a new and malicious object in place of the expected version. Any functions called on that object result in control of the program flow being given to the attacker. This can also form the basis of several types of attacks.
MTE is beneficial to security because it locates memory safety vulnerabilities before and after deployment. It is designed to quickly detect memory safety violations and provide robustness against the attacks that are attempting to subvert code. MTE implements a lock and key access to memory. If the key matches, then the lock memory access is permitted; otherwise access can be recorded or faulted. In this way, hard-to-catch memory safety errors can be detected more easily, which also aids general debugging.
Locating and fixing vulnerabilities before deployment reduces the attack surface of deployed code, with MTE increasing the effectiveness of the testing and fuzzing. Detecting vulnerabilities at scale after deployment supports reactively fixing vulnerabilities before they are widely exploited, with MTE assisting with this detection.
MTE is very flexible and can be deployed in different configurations at various stages of product development and deployment. MTE’s flexibility at scale allows trade-offs between lowest overhead and most accuracy in reporting. The ability to change configurations dynamically means that in the field accurate information about the location of an access failure can be relayed back to its developers by bug reporting and telemetry systems.
A newly published white paper on Armv8.5-A Memory Tagging Extension provides an excellent introduction to MTE and how it tackles the challenge of memory safety for security. It also explains how MTE can be optimized and describes how to deploy the technology in hardware and software, as well as at scale. The white paper and other supporting materials on Arm Developer, such as open source support for MTE, contain loads of interesting insights and information to help partners enhance memory safety for security.