Hi, I recently came across a study: https://arxiv.org/html/2406.08719v1
I want to ask if this attack poses any threat to GrapheneOS system or Vanadium browser?
Hi, I recently came across a study: https://arxiv.org/html/2406.08719v1
I want to ask if this attack poses any threat to GrapheneOS system or Vanadium browser?
bumping because interested.
Sounds like Google acknowledged it as a hardware flaw, from that link:
We also reported the MTE oracles in the Pixel 8 device to the Android Security Team in April 2024. Android Security Team acknowledged the issue as a hardware flaw of Pixel 8, decided to address the issue in Android’s MTE-based defense, and awarded a bounty reward for the report.
Agreed that it would be nice to get GOS-specific details though.
Response from the GrapheneOS account made in the chat rooms:
https://discord.com/channels/1176414688112820234/1176434676311797760/1253015434274406410
https://ibb.co/09Q6R4L
Quote:
this doesn't impact deterministic guarantees implemented via MTE
we have 4 deterministic properties: the tag set on the allocation dynamically excludes random the tags of adjacent allocations (or a previous allocation if it's currently free) and the random tag of the previous allocation in the same slot
the tag 0 is reserved and is set on free
this is only about leaking the values of random tags, and there are other mitigations in place which help to make that harder
Articles like this make it sound like we might as well not have memory tagging. How bad is this exploit? Is it worth having a phone with tagging or is is basically the same at this point ?
https://www.hackster.io/news/researchers-warn-of-arm-memory-tagging-extension-mte-bypass-vulnerabilities-in-the-google-pixel-8-05c7fef30b80
Citizen22 There is an official response being quoted in the post right above.
The answer is yes, MTE is incredibly valuable.
matchboxbananasynergy
OK, the response above is not in plain
English. Do you really understand what it means? It sounds good, but it could mean something really important, or quite insignificant as far as I'm concerned.
we have 4 deterministic properties: the tag set on the allocation dynamically excludes random the tags of adjacent allocations (or a previous allocation if it's currently free) and the random tag of the previous allocation in the same slot
What does that mean?
Citizen22 No, that's completely wrong. You're misinforming yourself reading highly inaccurate non-technical news coverage misrepresenting research. MTE works fine. Side channels leaking information are an overall issue with processors rather than something specific to MTE and do not impact providing deterministic security properties with MTE. It only impacts providing probabilistic security properties based on random secrets, and it doesn't make that pointless but rather offers the potential for a way to bypass it in limited circumstances through leaking the secrets. An attacker could also direct data they want access to instead of bypassing a protection. You should probably worry more about the use of side channels to leak data than random memory tag values.