evolutionary7881 Is it accurate to say there are only 24=16 tags (like from 0x0 to 0xF)? If so, does this imply a 1/16 (or 6.25%) chance of a successful exploit? What would happen if an attacker attempted the exploit 1000 times?
All this is only based on my understanding of how MTE works, I am in no way an expert on MTE.
There are 16 distinct tags, out of which one is reserved to indicate unallocated memory, so 15 distinct tags for allocated memory regions.
MTE as implemented by GrapheneOS hardened_malloc allocator makes sure that adjacent memory regions do not share tag, and that if a memory region is freed and then allocated again it will also get a different tag than it had. This fully and deterministically prevents many vulnerabilities, not just by chance, but prevent them every time. An attacker cannot read or write past the end of a buffer, if they are forced to read or write the bytes in sequence, as the buffer immediately after or before is guaranteed to have a different tag, and thus is guaranteed to trigger an MTE violation every time. The attacker would need to be able to skip over the whole next allocation for the attack to end up being probabilistic and thus possible to do with 1/15th chance of success. Many vulnerabilities does not allow skipping without accessing like that.
Use-after-free attacks are also made harder to exploit, as MTE is guaranteed to trigger if the still freed memory is accessed, or if the newly allocated memory in the same position is accessed. It doesn't become probabilistic to succeed with 1/15th chance until after that new allocated has also been freed, and yet another made in the same place. I am uncertain whether this deterministically and fully prevent exploitation of certain real vulnerabilities, as I imagine an attacker that can use a stale pointer in an interesting way can also always trigger an arbitrary amount of free and allocation calls to make the attack always probabilistic. But I am uncertain.