ExchangeDEX+
Buy CryptoMarketsSpotFuturesGOLDEarnEvent Center
More
Commodity Zero-Fee Gala
ARM’s Memory Tagging Extension, designed to stop memory corruption, can be bypassed via speculative execution. New TIKTAG gadgets leak memory tags with over 95%ARM’s Memory Tagging Extension, designed to stop memory corruption, can be bypassed via speculative execution. New TIKTAG gadgets leak memory tags with over 95%

A Promising ARM Security Feature Isn’t as Bulletproof as It Looks

Author: Hackernoon
Source: Hackernoon
2025/12/23 11:17
7 min read
Threshold
T$0.006997+6.64%
LooksRare
LOOKS$0.0006985+9.53%
LETSTOP
STOP$0.02181+18.33%
Octavia
VIA$0.001653+31.50%
RealLink
REAL$0.05385+11.65%

:::info Authors:

  1. Juhee Kim
  2. Jinbum Park
  3. Sihyeon Roh
  4. Jaeyoung Chung
  5. Youngjoo Lee
  6. Taesoo Kim
  7. Byoungyoung Lee

:::

Table Of Links

Abstract

1. Introduction

2. Background

  • Memory Tagging Extension
  • Speculative Execution Attack

3. Threat Model

4. Finding Tag Leakage Gadgets

  • Tag Leakage Template
  • Tag Leakage Fuzzing

5. TIKTAG Gadgets

  • TIKTAG-v1: Exploiting Speculation Shrinkage
  • TIKTAG-v2: Exploiting Store-to-Load Forwarding

6. Real-World Attacks

6.1. Attacking Chrome

7. Evaluation

8. Related work

9. Conclusion And References

Abstract

ARM Memory Tagging Extension (MTE) is a new hardware feature introduced in ARMv8.5-A architecture, aiming to detect memory corruption vulnerabilities. The low overhead of MTE makes it an attractive solution to mitigate memory corruption attacks in modern software systems and is considered the most promising path forward for improving C/C++ software security. This paper explores the potential security risks posed by speculative execution attacks against MTE.

\ Specifically, this paper identifies new TIKTAG gadgets capable of leaking the MTE tags from arbitrary memory addresses through speculative execution. With TIKTAG gadgets, attackers can bypass the probabilistic defense of MTE, increasing the attack success rate by close to 100%. We demonstrate that TIKTAG gadgets can be used to bypass MTE-based mitigations in real-world systems, Google Chrome and the Linux kernel.

\ Experimental results show that TIKTAG gadgets can successfully leak an MTE tag with a success rate higher than 95% in less than 4 seconds. We further propose new defense mechanisms to mitigate the security risks posed by TIKTAG gadgets.

Introduction

Memory corruption vulnerabilities present significant security threats to computing systems. Exploiting a memory corruption vulnerability, an attacker corrupts the data stored in a memory, hijacking the control flow or crafting the data of the victim. Such exploitation allows the attacker to execute arbitrary code, escalate its privilege, or leak security-sensitive data, critically harming the security of the computing system.

\ In response to these threats, ARM Memory Tagging Extension (MTE) has recently been proposed since ARMv8.5- A architecture, which is a new hardware extension to mitigate memory corruption attacks. Technically, MTE provides two hardware primitive operations, (i) tag and (ii) tag check. A tag operation assigns a tag to a memory location (i.e., a 4-bit tag to each 16-byte memory).

\ Then a tag check operation is performed when accessing the memory, which compares two tags, one embedded within the pointer to access the memory and the other associated with the memory location to-be-accessed. If these two tags are the same, the access is allowed. Otherwise, the CPU raises a fault.

\ Using MTE, various mitigation techniques can be developed depending on which tag is assigned or which memory regions are tagged. For instance, MTE-supported memory allocators, such as Android Scudo [3] and Chrome PartitionAlloc [2], assign a random tag for all dynamically allocated memory. Specifically, a memory allocator is modified to assign a random tag for each allocation.

\ Then, a pointer to this allocated memory embeds the tag, and as the pointer is propagated, the tag is accordingly propagated together. When any dynamically allocated memory is accessed, a tag check operation is enforced. As the tags are randomly assigned at runtime, it is difficult for the attacker to correctly guess the tag. Thus tag check operation would statistically detect memory corruptions.

\ MTE introduces significant challenges for attackers to exploit the memory corruption vulnerability. This is because MTE-based solutions detect a violation behavior close to the root cause of spatial and temporal memory corruptions. Specifically, since MTE ensures that the relationship between a pointer and a memory location is not corrupted, it promptly detects the corruptions—i.e., MTE promptly detects the moment when out-of-bounds access takes place in a heap-overflow vulnerability or when a dangling pointer is dereferenced in use-after-free.

\ This offers strong security advantages to MTE, particularly compared to popular mitigation techniques such as CFI [6, 52, 62], which does not detect memory corruption but detects control-flow hijack behavior (i.e., an exploitation behavior). For these reasons, MTE is considered the most promising path forward for improving C/C++ software security by many security experts [11, 47], since its first adoption with the Pixel 8 device in October 2023.

\ In this paper, we study if MTE provides the security assurance as it is promised. In particular, we analyzed if speculative execution attacks can be a security threat to breaking MTE. To summarize our results, we found that speculative execution attacks are indeed possible against MTE, which severely harms the security assurance of MTE. We discovered two new gadgets, named TIKTAG-v1 and TIKTAG-v2, which can leak the MTE tag of an arbitrary memory address.

\ Specifically, TIKTAG-v1 exploits the speculation shrinkage of the branch prediction and data prefetchers, and TIKTAGv2 exploits the store-to-load forwarding behavior. To demonstrate the exploitability of real-world MTEbased mitigations, we developed two real-world attacks having distinctive attack surfaces: Google Chrome and the Linux kernel. Our evaluation results show that TIKTAG gadgets can leak MTE tags with a success rate higher than 95% in less than 4 seconds.

\ We further propose mitigation schemes to prevent the exploitation of TIKTAG gadgets while retaining the benefits of using MTE. Compared to the previous works on MTE sidechannels [22, 38], we think this paper makes unique contributions for the following reasons. First, Project Zero at Google reported that they were not able to find speculative tag leakage from the MTE mechanisms [38]. They concluded that speculative MTE check results do not induce distinguishable cache state differences between the tag check success and failure.

\ In contrast, we found that tag checks indeed generate the cache state difference in speculative execution. Another independent work, StickyTags [22], discovered an MTE tag leakage gadget, which is one example of the TIKTAG-v1 gadget, and suspected that the root cause is in the memory contention on spurious tag check faults. On the contrary, this paper performed an in-depth analysis, which identified that the speculation shrinkage in branch prediction and data prefetchers are the root cause of the TIKTAG-v1 gadget.

\ This paper additionally reports new MTE tag leakage gadgets, specifically the variants of TIKTAGv1 gadget and the new TIKTAG-v2 gadget, along with developing exploitation against Chrome and the Linux kernel. Furthermore, this paper proposes new defense mechanisms to prevent TIKTAG gadgets from leaking MTE tags, both at hardware and software levels. At the time of writing, MTE is still in the early stages of adoption.

\ Considering its strong security advantage, it is expected that a large number of MTE-based mitigations (e.g., sensitive data protection [29, 31] and data-flow integrity [13, 40, 60]) is expected to be deployed in the near future on MTE-supporting devices (e.g., Android mobile phones).

\ As such, the results of this paper, particularly in how TIKTAG gadgets are constructed and how MTE tags can be leaked, shed light on how MTE-based solutions should be designed or how CPU should be implemented at a microarchitectural level. We have open-sourced TIKTAG gadgets at https://github.com/compsec-snu/tiktag to help the community understand the MTE side-channel issues.

\ ==Responsible Disclosure.== We reported MTE tag leakage gadgets to ARM in November 2023. ARM acknowledged and publicly disclosed the issue in December 2023 [34]. Another research group reported a similar issue to ARM and published their findings [22], which were conducted independently from our work.

\ We reported the speculative vulnerabilities in Google Chrome V8 to the Chrome Security Team in December 2023. They acknowledged the issues but decided not to fix the vulnerabilities because the V8 sandbox is not intended to guarantee the confidentiality of memory data and MTE tags. Since the Chrome browser currently does not enable its MTE-based defense by default, we agree with their decision to some extent.

\ However, we think that browser security can be improved if MTE-based defenses are deployed with the countermeasures we suggest (§6.1.4). We also reported the MTE oracles in the Pixel 8 device to the Android Security Team in April 2024. Android Security Team acknowledged the issue as a hardware flaw of Pixel 8, decided to address the issue in Android’s MTE-based defense, and awarded a bounty reward for the report.

\

:::info This paper is available on arxiv under CC 4.0 license.

:::

\

Market Opportunity
Threshold Logo
Threshold Price(T)
$0.006993
$0.006993$0.006993
+0.64%
USD
Threshold (T) Live Price Chart
Disclaimer: The articles reposted on this site are sourced from public platforms and are provided for informational purposes only. They do not necessarily reflect the views of MEXC. All rights remain with the original authors. If you believe any content infringes on third-party rights, please contact service@support.mexc.com for removal. MEXC makes no guarantees regarding the accuracy, completeness, or timeliness of the content and is not responsible for any actions taken based on the information provided. The content does not constitute financial, legal, or other professional advice, nor should it be considered a recommendation or endorsement by MEXC.

You May Also Like

Momentous Grayscale ETF: GDLC Fund’s Historic Conversion Set to Trade Tomorrow

Momentous Grayscale ETF: GDLC Fund’s Historic Conversion Set to Trade Tomorrow

BitcoinWorld Momentous Grayscale ETF: GDLC Fund’s Historic Conversion Set to Trade Tomorrow Get ready for a significant shift in the world of digital asset investing! A truly momentous event is unfolding as Grayscale’s Digital Large Cap Fund (GDLC) makes its highly anticipated transition into a spot crypto exchange-traded fund. This isn’t just a name change; it’s a pivotal moment for the broader cryptocurrency market, bringing a new era of accessibility and institutional participation through the Grayscale ETF. What’s Happening with the Grayscale ETF Conversion? Tomorrow marks a historic day for Grayscale’s Digital Large Cap Fund (GDLC). This existing spot crypto basket is officially scheduled to begin trading under its new identity: the Grayscale CoinDesk Crypto5 ETF. This exciting development comes directly after the U.S. Securities and Exchange Commission (SEC) gave its stamp of approval to Grayscale’s application for this conversion. As Bloomberg ETF analyst Eric Balchunas highlighted, this move has been keenly watched. The approval and subsequent launch underscore a growing acceptance of crypto-backed financial products within traditional markets. For investors, this conversion of the Grayscale ETF represents a more streamlined and regulated way to gain exposure to a diversified basket of large-cap digital assets. Why is the Grayscale ETF a Game-Changer for Investors? The conversion of GDLC into a Grayscale ETF offers several compelling benefits, fundamentally changing how investors can access the crypto market. Firstly, ETFs are known for their ease of trading. They can be bought and sold on traditional stock exchanges, just like company shares, making them incredibly accessible to a wider range of investors who might be hesitant to directly hold cryptocurrencies. Consider these key advantages: Enhanced Accessibility: Investors can gain exposure to a diversified crypto portfolio without needing to set up crypto wallets or manage private keys. Increased Liquidity: Trading on major exchanges typically means higher liquidity, allowing for easier entry and exit points. Regulatory Oversight: As an SEC-approved product, the Grayscale ETF operates under a regulated framework, potentially offering greater investor protection and confidence. Diversification: The Grayscale CoinDesk Crypto5 ETF tracks a basket of large-cap cryptocurrencies, offering immediate diversification rather than exposure to a single asset. This development is a strong indicator of the maturation of the digital asset space. It signals a bridge between the innovative world of crypto and the established financial system. Navigating the New Grayscale ETF Landscape While the launch of the Grayscale CoinDesk Crypto5 ETF brings exciting opportunities, it’s also important for investors to understand its implications. The shift from a closed-end fund structure (GDLC) to an open-ended ETF means that the fund’s shares can now be created and redeemed daily. This mechanism helps keep the ETF’s market price closely aligned with the net asset value (NAV) of its underlying holdings. Historically, closed-end funds like GDLC could trade at significant premiums or discounts to their NAV. The ETF structure is designed to mitigate these discrepancies, providing a more efficient pricing mechanism. This change offers a more transparent and potentially less volatile investment experience for those looking to invest in a Grayscale ETF. What’s Next for Crypto ETFs and Grayscale? The successful conversion and launch of the Grayscale CoinDesk Crypto5 ETF could pave the way for similar transformations of other Grayscale products. It also sets a precedent for how existing crypto investment vehicles might evolve to meet market demand for regulated, accessible products. The increasing number of spot crypto ETFs, including this new Grayscale ETF, reflects a growing institutional appetite for digital assets. This trend suggests a future where cryptocurrency investing becomes an even more integrated part of mainstream financial portfolios. As regulatory clarity continues to improve, we can anticipate further innovation and expansion in the crypto ETF landscape, offering investors diverse options to participate in the digital economy. The launch of the Grayscale CoinDesk Crypto5 ETF is more than just a new product; it’s a testament to the persistent efforts to bring digital assets into the mainstream financial fold. By offering a regulated, accessible, and diversified investment vehicle, Grayscale is not only expanding opportunities for investors but also reinforcing the legitimacy and staying power of the crypto market. This momentous step truly reshapes the investment landscape, making it easier for a broader audience to engage with the exciting potential of cryptocurrencies through a trusted Grayscale ETF. Frequently Asked Questions (FAQs) What is the Grayscale CoinDesk Crypto5 ETF? The Grayscale CoinDesk Crypto5 ETF is the new name and structure for Grayscale’s former Digital Large Cap Fund (GDLC). It’s a spot crypto basket that holds a diversified portfolio of large-cap digital assets, now trading as an exchange-traded fund. When will the Grayscale ETF begin trading? The Grayscale CoinDesk Crypto5 ETF is scheduled to begin trading tomorrow, following its approval by the U.S. Securities and Exchange Commission (SEC). How does an ETF differ from the previous GDLC fund? As an ETF, the fund’s shares can be created and redeemed daily, which helps keep its market price closely aligned with the value of its underlying assets. The previous GDLC fund was a closed-end fund that could trade at significant premiums or discounts to its net asset value. What are the benefits of investing in the Grayscale ETF? Benefits include enhanced accessibility (trading on traditional exchanges), increased liquidity, regulatory oversight by the SEC, and immediate diversification into a basket of large-cap cryptocurrencies. Is the Grayscale ETF suitable for all investors? While the Grayscale ETF offers a regulated and accessible way to invest in crypto, all investments carry risks. Investors should conduct their own research and consider their financial goals and risk tolerance before investing in any ETF, including this Grayscale ETF. Did you find this article informative? Share this exciting news about the Grayscale ETF conversion with your friends, family, and fellow investors on social media to keep them informed about the latest developments in the crypto world! To learn more about the latest crypto market trends, explore our article on key developments shaping Bitcoin and Ethereum price action. This post Momentous Grayscale ETF: GDLC Fund’s Historic Conversion Set to Trade Tomorrow first appeared on BitcoinWorld.
Share
Coinstats2025/09/19 17:45
The UA Sprinkler Fitters Local 669 JATC – Notice of Privacy Incident

The UA Sprinkler Fitters Local 669 JATC – Notice of Privacy Incident

Landover, Maryland, February 6, 2026– The UA Sprinkler Fitters Local 669 Joint Apprenticeship and Training Committee (“JATC”) is providing notice of an event that
Share
AI Journal2026/02/07 07:30
Vitalik Buterin Reveals Ethereum’s (ETH) Future Plans – Here’s What’s Planned

Vitalik Buterin Reveals Ethereum’s (ETH) Future Plans – Here’s What’s Planned

The post Vitalik Buterin Reveals Ethereum’s (ETH) Future Plans – Here’s What’s Planned appeared on BitcoinEthereumNews.com. Ethereum founder Vitalik Buterin presented the network’s new roadmap, which includes its short-, medium-, and long-term goals, at the Developer Conference held in Japan today. Scalability, cross-layer compatibility, privacy, and security were the prominent topics in Buterin’s speech. Buterin stated that the short-term focus will be on increasing gas limits on the Ethereum mainnet (L1). He said that tools such as block-level access lists, ZK-EVMs, gas price restructuring, and slot optimization will be used in this context. The goal is to maintain the network’s decentralization while increasing scalability. The medium-term goal is to enable trustless asset transfers between Layer-2 (L2) networks and achieve faster transaction finality. In this context, “Stage 2 Rollup” solutions, proof-of-conduct combinations, and optimizations for reading data from L1 are on the agenda. Furthermore, network optimizations such as shortening slot times, fast finality protocols, and erasure coding are planned to improve user experience and security. Buterin emphasized that privacy is a priority for both the short and medium term. Zero-knowledge (ZK) proofs, anonymous pools, encrypted voting, and scrambling network solutions are highlighted to protect the privacy of users’ on-chain payments, voting, DeFi transactions, and account changes. Furthermore, secure execution environments, secret query techniques, and the ability to conceal fraudulent requests and data access patterns are also targeted when reading data from the chain. Buterin’s long-term vision highlights a minimalist, secure, and simple Ethereum. This roadmap includes resistance to the risks posed by quantum computers, securing the protocol with mathematical methods (formal verification), and transitioning to ideal cryptographic solutions. Buterin stated that these strategic steps will transform Ethereum into a more scalable, user-friendly, and secure infrastructure. With the strengthening of L2 networks, more users will be able to use Ethereum with less trust assumptions. The ultimate goal is for Ethereum to become a reliable foundational infrastructure for global…
Share
BitcoinEthereumNews2025/09/18 15:57