One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 8407434 |
| Date de publication | 2023-11-07 14:06:03 (vue: 2023-11-07 20:23:35) |
| Titre | MTE - le chemin prometteur à suivre pour la sécurité de la mémoire MTE - The promising path forward for memory safety |
| Texte | Posted by Andy Qin, Irene Ang, Kostya Serebryany, Evgenii Stepanov Since 2018, Google has partnered with ARM and collaborated with many ecosystem partners (SoCs vendors, mobile phone OEMs, etc.) to develop Memory Tagging Extension (MTE) technology. We are now happy to share the growing adoption in the ecosystem. MTE is now available on some OEM devices (as noted in a recent blog post by Project Zero) with Android 14 as a developer option, enabling developers to use MTE to discover memory safety issues in their application easily. The security landscape is changing dynamically, new attacks are becoming more complex and costly to mitigate. It\'s becoming increasingly important to detect and prevent security vulnerabilities early in the software development cycle and also have the capability to mitigate the security attacks at the first moment of exploitation in production.The biggest contributor to security vulnerabilities are memory safety related defects and Google has invested in a set of technologies to help mitigate memory safety risks. These include but are not limited to: Shifting to memory safe languages such as Rust as a proactive solution to prevent the new memory safety bugs from being introduced in the first place. Tools for detecting memory safety defects in the development stages and production environment, such as widely used sanitizer technologies1 (ASAN, HWASAN, GWP-ASAN, etc.) as well as fuzzing (with sanitizers enabled). Foundational technologies like MTE, which many experts believe is the most promising path forward for improving C/C++ software security and it can be deployed both in development and production at reasonably low cost. MTE is a hardware based capability that can detect unknown memory safety vulnerabilities in testing and/or mitigate them in production. It works by tagging the pointers and memory regions and comparing the tags to identify mismatches (details). In addition to the security benefits, MTE can also help ensure integrity because memory safety bugs remain one of the major contributors to silent data corruption that not only impact customer trust, but also cause lost productivity for software developers. At the moment, MTE is supported on some of the latest chipsets: Focusing on security for Android devices, the MediaTek Dimensity 9300 integrates support for MTE via ARM\'s latest v9 architecture (which is what Cortex-X4 and Cortex-A720 processors are based on). This feature can be switched on and off in the bootloader by users and developers instead of having it always on or always off. Tensor G3 integrates support for MTE only within the developer mode toggle. Feature can be activated by developers. For both chipsets, this feature can be switched on and off by developers, making it easier to find memory-related bugs during development and after deployment. MTE can help users stay safe while also improving time to market for OEMs.Application develope |
| Envoyé | Oui |
| Condensat | 2018 9300 a720 achieved actionable activated addition address adoption advanced after all also always and/or android andy ang another any application architecture are arm asan asan ↩ asan;gwp attacks available based because becoming being believe benefit benefits biggest binary blog bootloader both buffer bug bugs but c/c++ can capability cause change changes changing chipsets chipsets: clear collaborated comparing complex configuration contributor contributors corruption cortex cost costly customer cycle data defects deployed deployment details detect detecting detection develop developer developers development devices dimensity discover does drastically during dynamically early easier easily ecosystem effectively enabled enabling engineering ensure environment environments etc evgenii experts exploitation extension feature find first focusing forward foundational free from fuzzing google growing gwp happy hard hardware has have having heap help hwasan identify impact important improve improving include increasingly information instead integrates integration integrity introduced invested irene issues just kostya landscape languages latest leverage lifecycle like limited lost low major majority making many market mediatek memory mismatches mitigate mobile mode moment more most mte new not noted notes now oem oems off one only option overflows partnered partners path phone place play pointers post posted pre prevent preventing proactive processors production productivity project promising provide qin reasonably recent reduced regions related reliability remain require risks role rust safe safety sampling sanitizer sanitizer; sanitizers security serebryany set share shifting silent simple since socs software solution some source stack stages stay stepanov such support supported switched tagging tags technologies technologies1 technology tensor testing them these time to: toggle tools towards trace trust unknown use used user users vendors very vulnerabilities way well what which widely will within works zero |
| Tags | Vulnerability Mobile |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.