One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8364823 |
| Date de publication | 2023-08-02 09:30:09 (vue: 2023-08-02 17:05:49) |
| Titre | MTE comme implémenté, partie 1: tests d'implémentation MTE As Implemented, Part 1: Implementation Testing |
| Texte | By Mark Brand, Project ZeroBackground In 2018, in the v8.5a version of the ARM architecture, ARM proposed a hardware implementation of tagged memory, referred to as MTE (Memory Tagging Extensions). Through mid-2022 and early 2023, Project Zero had access to pre-production hardware implementing this instruction set extension to evaluate the security properties of the implementation. In particular, we\'re interested in whether it\'s possible to use this instruction set extension to implement effective security mitigations, or whether its use is limited to debugging/fault detection purposes. As of the v8.5a specification, MTE can operate in two distinct modes, which are switched between on a per-thread basis. The first mode is sync-MTE, where tag-check failure on a memory access will cause the instruction performing the access to deliver a fault at retirement. The second mode is async-MTE, where tag-check failure does not directly (at the architectural level) cause a fault. Instead, tag-check failure will cause the setting of a per-core flag, which can then be polled from the kernel context to detect when an invalid access has occurred. This blog post documents the tests that we have performed so far, and the conclusions that we\'ve drawn from them, together with the code necessary to repeat these tests. This testing was intended to explore both the details of the hardware implementation of MTE, and the current state of the software support for MTE in the Linux kernel. All of the testing is based on manually implemented tagging in statically-linked standalone binaries, so it should be easy to reproduce these results on any compatible hardware.Terminology When designing and implementing security features, it\'s important to be conscious of the specific protection goal. In order to provide clarity in the rest of this post, we\'ll define some specific terminology that we use when talking about this:Mitigation - A mitigation is something that reduces real exploitability of a vulnerability or class of vulnerability. The expectation is that attackers can (and eventually will) find their way around it. Examples would |
| Envoyé | Oui |
| Condensat | if 0 0x10 0x1000 0x23 bytes char** argv default info it map new o ptr read return read siginfo size start tagged this to uc void* ptr void* uc x1 x2 ~0 *tagged *x0 *x1 *x2 + len += result; /async /data/local/tmp/software /dev/urandom /software /spectre 01ms 075927734375ms 0x2323232323232323ull 0x26c068 0x36bc80 0x7722c5d000 0x800007722c5d000 1+3+4 2 are 2 continues 2 discusses 2+2+4 2018 2022 2023 250` 3 and 3 is 4 are 4 is 4+4 4ms = mmap = mte = nullptr && = open = ptr; = read = readn == 0x2323232323232323ull `*tagged `config `read/write` aaaaaaaaaaaaaaa able about above acceptable access access: accessed accesses accesses to accessing across addition additional additional1 speculative address addressed adds adjacent after against algorithm all allocating allocations allow allowing allows already also although always amplification analysis anchored android anonymous|map another any applicability application applied apply approach architectural architecturally architecture are areas arguments arm around asigsegv aslr assert assertion assumes assumption async attack attacker attackers attacks attempting audit available avoid axis barrier based basis bbbbbbbbbbbbbbb bbbbbbbbbbbbbbb3 bear because become been before behaviour behaviour especially behaviour with being below best better between bias biggest binaries block blog both bound branch brand breakpad breakpad/crashpad at buffer bug build but bypass bypassed bypasses bypasses/oracles bytes c / c and c is c:46: cache cached call calls can cannot careful case cases catch catchable caught cause caused cbnz x0 cfi chain chance changes channel channels char char* read char* start characterize check checking chrome circumstances claims clarity class cleanest clear clocked closely code codebase coerce coerced collect collects comes command commands compatible complete completed completes2 complex complexity compromised concept concluding conclusions conditions configuration configurations conscious consequences consider considered considering consistency consistent construct construction contained context contexts control core cores corrupt corruption cost could count coverage cpu crash crashpad create critical current currently dangers data debugging/fault decided decompression deeper define deliver delivered delivery demonstrated demonstrates demonstration dep dependency depending described design designing designs desirable detail detail; details detect detected detection determine develop developing deviating device device:/data/local/tmp devices did difference different differentiate differently difficult directly disable discussion distinct documented documents does doesn don done down dr; drawn due duktape during each early easy efault effective effectively effectiveness effects efficiently either elevation eliminates enable ends engine enough enters environment environments error errors estimate evaluate even eventually every example examples exception execute executed executes executing execution exist existing exits expect expectation expected exploit exploitability exploitability of exploitation exploitation:we exploits explore extension extensions extremely fail failed fails failure failures fairly false far fashion fast fault faulting features file final finally find first flag flow flush follows: force format found fprintf free frequency from function fundamental further future generally generating generic get give goal good granularity graph graph; graphs green guarantee guard had handle handled/safe handler handler handlers handles handling happen happened hard hardness hardware harness has have heap here higher highlight hit/single hits hitting homogenous hopefully how how |
| Tags | Vulnerability |
| Stories | |
| Notes | ★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.