ExchangeDEX+
Buy CryptoMarketsSpotFutures500XEarnEvents
More
0 Spot Fees
This article details how speculative execution can be abused to leak ARM Memory Tagging Extension (MTE) tags via cache side channels, and how fuzzing reveals realThis article details how speculative execution can be abused to leak ARM Memory Tagging Extension (MTE) tags via cache side channels, and how fuzzing reveals real

ARM MTE Found Vulnerable to Speculative Tag Leakage on Pixel 8 Devices

Author: HackernoonSource: Hackernoon
2025/12/24 15:00
Tagger
TAG$0.0004656-1.60%
Pixels
PIXEL$0.008343+3.19%
Octavia
VIA$0.0086-3.37%
RealLink
REAL$0.07462+0.29%

Abstract

1. Introduction

2. Background

  • Memory Tagging Extension
  • Speculative Execution Attack

3. Threat Model

4. Finding Tag Leakage Gadgets

  • Tag Leakage Template
  • Tag Leakage Fuzzing

5. TIKTAG Gadgets

  • TIKTAG-v1: Exploiting Speculation Shrinkage
  • TIKTAG-v2: Exploiting Store-to-Load Forwarding

6. Real-World Attacks

6.1. Attacking Chrome

7. Evaluation

8. Related work

9. Conclusion And References

\

Finding Tag Leakage Gadgets

The security of MTE random tag assignment relies on the confidentiality of the tag information per memory address. If the attacker can learn the tag of a specific memory address, it can be used to bypass MTE—e.g., exploiting memory corruption only when the tag match is expected. In this section, we present our approach to discovering MTE tag leakage gadgets. We first introduce a template for an MTE tag leakage gadget (§4.1) and then present a template-based fuzzing to discover MTE tag leakage gadgets (§4.2).

\ 4.1. Tag Leakage Template

We first designed a template for a speculative MTE tag leakage gadget, which allows the attacker to leak the tag of a given memory address through speculative execution (Figure 1). The motivation behind the template is to trigger MTE tag checks in a speculative context and observe the cache state after the speculative execution. If there is any difference between tag match and mismatch, the attackers can potentially leak the tag check results and infer the tag

\ value. Since tag mismatch during speculative execution is not raised as an exception, such an attempt is not detected. We assume the attacker aims to leak the tag Tm assigned to targetaddr. To achieve this, the attacker prepares two pointers: guessptr and testptr ( 1 ). guessptr points to targetaddr while embedding a tag Tg— i.e., guessptr = (Tg«56)|(targetaddr & ~(0xff«56)). testptr points to an attacker-accessible, uncached address with a valid tag.

\ Next, the attacker executes the template with guessptr and testptr ( 2 ). The template consists of three components in order: BR, CHECK, and TEST. BR encloses CHECK and TEST using a conditional branch, ensuring that CHECK and TEST are speculatively executed. In CHECK, the template executes a sequence of memory instructions to trigger MTE checks. In TEST, the template executes an instruction updating the cache status of test_ptr, observable by the attacker later.

\ Our hypothetical expectation from this template is as follows: The attacker first trains the branch predictor by executing the template with condptr storing 1 and guessptr containing a valid address and tag. After training, the attacker executes the template with condptr storing 0 and guessptr pointing to targetaddr with a guessed tag, causing speculative execution of CHECK and TEST. If the MTE tag matches in CHECK, the CPU would continue to speculatively execute TEST, accessing testptr and filling its cache line.

\ If the tags do not match, the CPU may halt the speculative execution of TEST, leaving the cache line of testptr unfilled. Consequently, the cache line of testptr would not be filled. After executing the template, the attacker can measure the access latency of testptr after execution, and distinguish the cache hit and miss, leaking the tag check result ( 3 ). The attacker can then brute-force the template executions with all possible Tg values to eventually leak the correct tag of targetaddr.

\ ==Results.== We tested the template on real-world ARMv8.5 devices, Google Pixel 8 and Pixel 8 pro. We varied the number and type of memory instructions in CHECK and TEST, and observed the cache state of test_ptr after executing the template. As a result, we identified two speculative MTE leakage gadgets, TIKTAG-v1 (§5.1) and TIKTAG-v2 (§5.2) that leak the MTE tag of a given memory address in both Pixel 8 and Pixel 8 pro.

\ 4.2. Tag Leakage Fuzzing

To automatically discover MTE tag leakage gadgets, we developed a fuzzer in a similar manner to the Spectre-v1 fuzzers [48]. The fuzzer generates test cases consisting of a sequence of assembly instructions for the speculatively executed blocks in the tag leakage template (i.e., CHECK and TEST). The fuzzer consists of the following steps: Based on the template, the fuzzer first allocates memory for condptr, guessptr, and testptr. condptr and guessptr point to a fixed 128-byte memory region individually. testptr points to a variable 128-byte aligned address from a 4KB memory region initialized with random values.

\ Then, the fuzzer randomly picks two registers to assign condptr and guessptr from the available registers (i.e., x0-x28). The remaining registers hold a 128-byte aligned address within a 4KB memory region or a random value. The fuzzer populates CHECK and TEST blocks using a predefined set of instructions (i.e., ldr, str, eor, orr, nop, isb) to reduce the search space. Given an initial test case, the fuzzer randomly mutates the test case by inserting, deleting, or replacing instructions to generate new test cases.

\ The fuzzer runs test cases in two phases:

(i) a branch training phase, with condptr storing true and guessptr containing a correct tag; and

(ii) a speculative execution phase, with with condptr storing false and guessptr containing either a correct or wrong tag. The fuzzer executes each test case twice. The first execution runs the branch training phase and then the speculative execution phase with the correct tag. The second execution is the same as the first, but the only difference is to run the speculative execution phase with the wrong tag.

\ After each execution, the fuzzer measures the access latency of a cache line and compares the cache state between the two executions. This process is repeated for each cache line of the 4KB memory region. If a notable difference is observed, the fuzzer considers the test case as a potential MTE tag leakage gadget.

\ ==Results.== We developed the fuzzer and tested it on the same ARMv8.5 devices. As a result, we additionally identified variants of TIKTAG-v1 (§5.1) that utilize linked list traversal. The fuzzer was able to discover the gadgets within 1-2 hours of execution without any prior knowledge of them.

:::info Authors:

  1. Juhee Kim
  2. Jinbum Park
  3. Sihyeon Roh
  4. Jaeyoung Chung
  5. Youngjoo Lee
  6. Taesoo Kim
  7. Byoungyoung Lee

:::

:::info This paper is available on arxiv under CC 4.0 license.

:::

\

Market Opportunity
Tagger Logo
Tagger Price(TAG)
$0.0004656
$0.0004656$0.0004656
+0.80%
USD
Tagger (TAG) Live Price Chart
Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact service@support.mexc.com for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.

You May Also Like

UXLINK Approves Token Buyback with 100% Community Support

UXLINK Approves Token Buyback with 100% Community Support

The post UXLINK Approves Token Buyback with 100% Community Support appeared on BitcoinEthereumNews.com. Key Points: UXLINK community approves token buyback with
Share
BitcoinEthereumNews2025/12/28 06:51
Best Crypto to Buy as Saylor & Crypto Execs Meet in US Treasury Council

Best Crypto to Buy as Saylor & Crypto Execs Meet in US Treasury Council

The post Best Crypto to Buy as Saylor & Crypto Execs Meet in US Treasury Council appeared on BitcoinEthereumNews.com. Michael Saylor and a group of crypto executives met in Washington, D.C. yesterday to push for the Strategic Bitcoin Reserve Bill (the BITCOIN Act), which would see the U.S. acquire up to 1M $BTC over five years. With Bitcoin being positioned yet again as a cornerstone of national monetary policy, many investors are turning their eyes to projects that lean into this narrative – altcoins, meme coins, and presales that could ride on the same wave. Read on for three of the best crypto projects that seem especially well‐suited to benefit from this macro shift:  Bitcoin Hyper, Best Wallet Token, and Remittix. These projects stand out for having a strong use case and high adoption potential, especially given the push for a U.S. Bitcoin reserve.   Why the Bitcoin Reserve Bill Matters for Crypto Markets The strategic Bitcoin Reserve Bill could mark a turning point for the U.S. approach to digital assets. The proposal would see America build a long-term Bitcoin reserve by acquiring up to one million $BTC over five years. To make this happen, lawmakers are exploring creative funding methods such as revaluing old gold certificates. The plan also leans on confiscated Bitcoin already held by the government, worth an estimated $15–20B. This isn’t just a headline for policy wonks. It signals that Bitcoin is moving from the margins into the core of financial strategy. Industry figures like Michael Saylor, Senator Cynthia Lummis, and Marathon Digital’s Fred Thiel are all backing the bill. They see Bitcoin not just as an investment, but as a hedge against systemic risks. For the wider crypto market, this opens the door for projects tied to Bitcoin and the infrastructure that supports it. 1. Bitcoin Hyper ($HYPER) – Turning Bitcoin Into More Than Just Digital Gold The U.S. may soon treat Bitcoin as…
Share
BitcoinEthereumNews2025/09/18 00:27
Edges higher ahead of BoC-Fed policy outcome

Edges higher ahead of BoC-Fed policy outcome

The post Edges higher ahead of BoC-Fed policy outcome appeared on BitcoinEthereumNews.com. USD/CAD gains marginally to near 1.3760 ahead of monetary policy announcements by the Fed and the BoC. Both the Fed and the BoC are expected to lower interest rates. USD/CAD forms a Head and Shoulder chart pattern. The USD/CAD pair ticks up to near 1.3760 during the late European session on Wednesday. The Loonie pair gains marginally ahead of monetary policy outcomes by the Bank of Canada (BoC) and the Federal Reserve (Fed) during New York trading hours. Both the BoC and the Fed are expected to cut interest rates amid mounting labor market conditions in their respective economies. Inflationary pressures in the Canadian economy have cooled down, emerging as another reason behind the BoC’s dovish expectations. However, the Fed is expected to start the monetary-easing campaign despite the United States (US) inflation remaining higher. Investors will closely monitor press conferences from both Fed Chair Jerome Powell and BoC Governor Tiff Macklem to get cues about whether there will be more interest rate cuts in the remainder of the year. According to analysts from Barclays, the Fed’s latest median projections for interest rates are likely to call for three interest rate cuts by 2025. Ahead of the Fed’s monetary policy, the US Dollar Index (DXY), which tracks the Greenback’s value against six major currencies, holds onto Tuesday’s losses near 96.60. USD/CAD forms a Head and Shoulder chart pattern, which indicates a bearish reversal. The neckline of the above-mentioned chart pattern is plotted near 1.3715. The near-term trend of the pair remains bearish as it stays below the 20-day Exponential Moving Average (EMA), which trades around 1.3800. The 14-day Relative Strength Index (RSI) slides to near 40.00. A fresh bearish momentum would emerge if the RSI falls below that level. Going forward, the asset could slide towards the round level of…
Share
BitcoinEthereumNews2025/09/18 01:23