UPDATE: Initial MTE support is now available in GrapheneOS!

https://grapheneos.org/releases#2023103000


The below is quoted from the official GrapheneOS account, as can be seen here:

https://twitter.com/GrapheneOS/status/1716945639198880037

Pixel 8 and Pixel 8 Pro are ARMv9 devices supporting hardware memory tagging. Stock OS currently has a very primitive experimental implementation available as a developer option. We're going to be deploying a more advanced implementation for hardened_malloc in production soon.

Hardware memory tagging is going to provide a massive increase to protection against remote exploitation for GrapheneOS users. It's the biggest security feature we'll be shipping since we started in 2014. We want to have it enabled by default in async (fast) mode for the base OS.

We can provide a toggle for choosing between asynchronous (fast) and synchronous (more secure).

Many user installed apps have latent memory corruption bugs so we aren't going to enable it for them initially. We'll provide a toggle for setting the default (disabled, async, sync).

There can be a per-app toggle for overriding the global default alongside the toggles we already provide for using the full 48-bit address space (enabled by default) and hardened malloc (enabled by default, requires 48-bit address space). This will be a security game changer.

ARM memory tagging support provides a limited form of memory safety for both memory unsafe languages (C, C++) and the small subset of unsafe code in memory safe languages (Rust, Java, Kotlin). hardened_malloc was designed to use memory tagging and will be making great use of it.

MTE uses 4 bit tags for each 16 bytes of memory. hardened_malloc will be using memory tagging for all small allocations, which means 128k and below by default. hardened_malloc already places random guards around large allocations and quarantines their address space on free.


Regarding a timeline on the feature:

https://twitter.com/GrapheneOS/status/1716951114845962439

Likely under 2 weeks to an experimental release with it disabled by default. Likely longer before we can enable it by default for the base OS in async mode.

    Firstly I apologise for my ignorance, is this a feature of google that is currently working on newer phones only? Will other older devices like P6 and above get this feature?
    I understand that this is a major update on our privacy and would love to see it cone to older pixels not only 8's.
    Thank you in advance for the response!

      If you want to know the difference between sync and async mode:

      https://community.arm.com/arm-community-blogs/b/operating-systems-blog/posts/new-mte-user-guide

      Synchronous mode (SYNC)

      In synchronous mode, a mismatch between the tag in the address and the tag in memory causes a synchronous exception. This identifies the precise instruction and address that caused the failure, at the cost of a slight performance impact.

      Asynchronous mode (ASYNC)

      In asynchronous mode, when a tag mismatch occurs the processor continues execution until the next kernel entry, such as a syscall or timer interrupt. At this point, it terminates the process with SIGSEGV using code SEGV_MTEAERR. The processor does not record the faulting address or memory access. ASYNC mode has a smaller impact on performance than SYNC mode.

      As synchronous mode prioritizes accuracy of bug detection over performance, it is most useful during development or as part of a continuous integration system. In these situations, the precise bug detection capability is more important than the performance overhead.

      On other hand, ASYNC mode is optimized for performance over accuracy of bug reports. The information about where the bug occurred is less precise, but ASYNC mode provides a low overhead detection mechanism for memory safety bugs. It is useful for production systems when performance is more important than detailed bug information.

        What does MTE exactly protect you against? In what situations is this useful?

          [deleted] I have read the whole thread and also the link but it is a little bit too technical for me to understand it fully. Would be nice if someone could explain it little bit more easier as I want to learn :)

            PMUSR I second this, it sounds very exciting but I have got zero clue of what it means lol

            Can anyone give a very simple explanation that a consumer would understand?

            Thanks in advanced

            MTE protects against buffer overflow.

            An example of buffer overflow : I set a table of 4 elements in memory but I go checking the 5th element, 6th element and further --> I access, and potentially modify, willingly or not, more memory than expected with my initial small table.
            This problem is so common that we have the well known website named Stack Overflow.

            How is this discussion pinned but not actually pinned?

              Titan_M2 How is this discussion pinned but not actually pinned

              It is. Try opening a new incognito tab and visit discuss.grapheneos.org

              Keep in mind that the forum's sorting settings are most likely set to 'Latest' on your end by default. This means you'll see the posts sorted by the latest comments.

                matchboxbananasynergy

                Even if I don't fully understand how it works - just the fact that MTE addresses a gap that currently accounts for about 70% of severe security vulnerabilities sounds really great! 2 weeks seems like a really ambitious timeline - thank you for your great work, dear developers!

                • [deleted]

                hello, thanks to MTE you will be able to patch bugs related to memory much faster if I understood correctly, so even if generation 6 and 7 are not compatible, research on security will also be beneficial for them?