BlueHat IL 2022 - Saar Amar - Security Analysis of MTE Through Examples
Uploader: Microsoft Israel R&D Center
Original upload date: Tue, 22 Mar 2022 00:00:00 GMT
Archive date: Tue, 22 Mar 2022 12:57:01 GMT
In the past few years, our industry has evolved a lot in our journey to improve security and mitigate memory safety. One of the key efforts is introducing new dedicated silicon that gives us guaranteeShow more
s and new abilities to rely on at the architectural level. Some examples are HLAT, PAC, MTE, CHERI, and many other hardware security features in Apple CPUs (KTRR, SPRR, etc.). Memory tagging is an interesting extension to the ARM CPUs. It gives us new kinds of primitives we didn’t have before regarding how we interact with memory. In this talk, I will present a security analysis of MTE and review which security guarantees are provided by the architecture and how compilers and software can use these to enforce a new level of mitigation in legacy code. This is an interesting process, mainly because MTE was originally designed for at-scale detection of bugs, not for memory safety mitigations purposes. To get a better and deeper understanding, we will go down the rabbit hole and develop an exploit on the latest Ubuntu in QEMU with the necessary support for MTE in place. We will reveal the impact of MTE during the exploitation process, alongside the areas still interesting for security research that might be a critical Achilles’ heel of MTE-based mitigations. Finally, I will share the takeaways from this research and discuss the possible impact MTE might have on memory safety in the long term.