Aiming at improving the security of the Android ecosystem, Google has partnered up with mobile silicon-maker ARM to implement a hardware-based bug detection tool specifically for memory-safety vulnerabilities.
Dubbed the memory-tagging extension (MTE), the feature helps mitigate these kinds of bugs by enabling easier detection of them. MTE has two execution modes, according to a recent post from Google on the effort: Precise mode, which provides more detailed information about the memory violation; and imprecise mode, which has lower CPU overhead and is more suitable to be always-on.
Memory-Safety Bugs
This class of vulnerabilities consists of flaws that arise in memory-access processes, such as buffer overflows, race conditions, page faults, null pointers, heap exhaustion/corruption, and use-after-free or double-free flaws.
“Memory-safety bugs, common in C and C++, remain one of the largest vulnerabilities in the Android platform and although there have been previous hardening efforts, memory-safety bugs comprised more than half of the high priority security bugs in Android 9,” the Google security team wrote – referring to the fact that C and C++ allow arbitrary pointer arithmetic with pointers implemented as direct memory addresses with no provision for bounds checking, and thus are considered memory-unsafe, according to a primer from the University of Cambridge.
The Google team pointed out that these flaws tend to show up as hard-to-diagnose reliability problems, “including sporadic crashes or silent data corruption.”
MTE Deployment Scenarios
To detect bugs, MTE, as the name suggests, enables memory-tagging (MT), also known as memory coloring. This is a mechanism that enables tracking of illegal memory operations by tagging (or coloring) allocated memory regions in order to detect mismatches.
“We believe that memory tagging will detect the most common classes of memory safety bugs in the wild, helping vendors identify and fix them, discouraging malicious actors from exploiting them,” according to the posting.
Google envisions several scenarios where MTE can factor in. One is by allowing testing of memory safety using the same binary as shipped to production. Also, MTE can be used as a mechanism for testing complex software scenarios in production.
“App developers and OEMs will be able to selectively turn on MTE for parts of the software stack,” the team wrote. “Where users have provided consent, bug reports will be available to developers via familiar mechanisms like Google Play Console.”
MTE can also be used as a strong security mitigation in the Android system and applications, according to the team.
“For most instances of such vulnerabilities, a probabilistic mitigation based on MTE could prevent exploitation with a higher than 90-percent chance of detecting each invalid memory access,” the researchers said. “By implementing these protections and ensuring that attackers can’t make repeated attempts to exploit security-critical components, we can significantly reduce the risk to users posed by memory safety issues.”
Google plans on implementing MTE throughout the Android ecosystem. It has already made inroads on that over the last year by deploying HWASAN, a software implementation of the memory-tagging concept, to test the Android platform and a few select apps. That trial run has uncovered close to 100 memory safety bugs, Google said. MTE is expected to improve upon these results by reducing overhead, improving the ease of deployment and thus the deployment scale, by creating the feature as a hardware-based function.
“We are working with select ARM System-on-Chip (SoC) partners to test MTE support and look forward to wider deployment of MTE in the Android software and hardware ecosystem,” according to the posting. “We are considering MTE as a possible foundational requirement for certain tiers of Android devices.”
The team added, “In parallel, we have been working on supporting MTE in the LLVM compiler toolchain and in the Linux kernel. The Android platform support for MTE will be complete by the time of silicon availability.”
Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and interviews from Black Hat and DEF CON, click here.
