Memory safety: How Arm Memory Tagging Extensions address industry security challenges

Get a comprehensive understanding of Memory Tagging Extension (MTE), how to implement MTE in the Arm mobile ecosystem, and why MTE is an important security feature to address the industry challenge of memory safety vulnerabilities.

Minsheng Lu, Director of Security and Privacy Strategy, Arm Endpoint Business Unit

The future of computing will be driven by the increasing digitization of all aspects of our daily lives, which will also lead to an ever-increasing complexity of software and systems. According to relevant data reports, the number of vulnerabilities reported in 2022 exceeded 23,000 (of which more than 17,000 were classified as serious vulnerabilities), setting a new high for six consecutive years.

With Arm CPUs built on the latest Armv9 architecture, we can provide security features such as Memory Tagging Extension (MTE) to reduce these complexities and provide far-reaching security, safety, cost and time-to-market benefits to software developers, chip vendors and device manufacturers. Armv9 security improvements can reduce certain categories of vulnerabilities by up to 95%, such as memory safety violations, which account for the largest proportion of all severe security vulnerabilities.

Arm's MTE was first introduced in August 2019 as part of the Armv8.5 instruction set, and Arm announced in May 2021 that it would be built into the first Armv9-compatible CPU. Google announced the adoption of Arm's MTE in Android long before the launch of the Armv9 architecture, and is committed to supporting MTE across the entire Android stack. At the end of 2022, Honor announced at its Developer Conference that it would provide developers with MTE-enabled MagicOS 6.x and MagicOS 7 devices through Honor Skynet and in future DiagnosisKit tools. In the future, this may be carried in Honor's mobile devices.

In this article, we will answer key questions about MTE, including what it is, how it addresses security challenges such as memory safety, what its benefits are, and what our partners are doing with this feature.

What is the role of MTE and how does it enable better software in the Arm ecosystem?

With MTE, developers can quickly find memory-related vulnerabilities and speed up application debugging and development processes. In addition, this feature supports dynamic configuration changes, which means that accurate information about the location of access failures can be sent back to developers through vulnerability reporting and telemetry systems in the field.

It is worth noting that many developers may find more vulnerabilities than they are able to fix when they first use MTE. However, the developer may decide to fix the most serious vulnerabilities before the product is released, and then address the less serious vulnerabilities during the update process. In addition, over time, the developer's code will become cleaner because the number of vulnerabilities caught in subsequent global scans will decrease, making this process more time-efficient. The frequency of crashes, complaints, and drills will also decrease.

With MTE, developers can detect and avoid memory safety vulnerabilities before and after deployment, which benefits the broader mobile ecosystem. Finding and fixing vulnerabilities before deployment is critical to ensuring security because it reduces the attack surface of deployed code. Detecting vulnerabilities after deployment allows for reactive fixes before they can be widely exploited, and MTE assists developers with such detection. This provides strong protection against attacks that attempt to compromise secure code.

Why is it so important to address memory safety violations?

Memory safety has been a major source of security vulnerabilities for decades. According to operating system vendors (OSVs), most security issues in their products stem from vulnerabilities caused by memory safety violations. Google's Chromium project team said that memory safety issues account for 70% of all serious security vulnerabilities.

Memory safety violations can have a huge impact on users. Malicious applications can access sensitive data, such as user credentials and passwords, through unsecured memory, allowing bad actors to access confidential data. In addition to the security aspects, outages caused by unresolved memory safety vulnerabilities can reduce user satisfaction, increase software development costs, and require more time to resolve such issues in the future.

Memory management issues have been around for decades and are still very common today. The Security Agency recently released guidance[6] to help software developers and operators prevent and mitigate software memory safety issues. The agency’s “Software Memory Safety” cybersecurity information sheet highlights how malicious cyber actors can exploit poor memory management issues to access sensitive data, issue unauthorized code execution, and cause other negative consequences.

What is a memory safety violation?

There are two main types of memory safety violations: spatial safety violations and temporal safety violations. MTE provides a mechanism to detect both of these violations in production code without the use of any instrumentation.

Space safety is violated when an object is accessed outside of its true bounds. For example, when data is written outside of a buffer or other object. This could be used to change the destination address of a function pointer, saved register, or similar object.

Temporal safety is violated when a reference to an object is used after it has expired, typically after the object's memory has been freed - exploiting an existing "use-after-free" vulnerability. With knowledge of the allocator, an attacker can place a new malicious object in place of the expected version.

How does MTE work?

Arm implements MTE as a two-stage system, a "lock" and a "key". If the key matches, access to the locked memory is allowed; otherwise, access may be logged or errored. This makes it easier to detect hard-to-catch memory safety errors and also helps with general debugging.

In a lock and key two-phase system, there are two types of tags:

Address tag, used as a key. This adds four high-order bits to every pointer in the process. Address tagging is only available for 64-bit applications because it uses the "high byte ignore" feature, which is a feature of Arm 64-bit.

Memory tag, used as a lock. The memory tag also consists of four bits, connected to each aligned 16-byte region in the application memory space. Arm calls these 16-byte regions tag granules. These four bits are not used for application data and are stored separately.

Why do mobile devices need MTE?

Mobile devices on the market in the future will have more advanced computing capabilities, and therefore a larger attack surface. At the same time, the amount and value of personal content and data obtained through these devices are also increasing. Therefore, it is necessary to implement a security function that provides a secure ecosystem and a secure digital experience for end users.

MTE is very flexible and can be deployed in different configurations at various stages of product development and deployment. For example, MTE can be configured in asynchronous and synchronous modes based on the process. Asynchronous mode has very low operating overhead and can be used to identify code areas with memory issues, while synchronous mode will error out when it encounters instructions that cause security violations and produce a large amount of debug information when vulnerabilities are detected. This flexibility is especially useful for large-scale deployments, as MTE is highly scalable and can run on millions or even billions of devices to provide reliable error detection capabilities for system and application software.

Who are Arm’s partners in MTE?

In August 2019, Google announced the adoption of Arm's MTE in Android, promising to support MTE in the Android stack and saying that by using this technology, "even if there is a memory vulnerability to exploit, it will become very difficult."

Arm's collaboration with Google on MTE technology is aimed at detecting memory safety vulnerabilities in existing code bases and in new code written. Here are comments from Google's Kostya Serebryany and Sudhi Herle:

We believe that memory tagging will be able to detect several of the most common memory safety vulnerabilities in the environment, helping vendors identify and fix them and preventing malicious actors from exploiting them.

Android 12 added an initial implementation of MTE that detects "use after free" and "buffer overflow" vulnerabilities, which are the most common sources of memory safety vulnerabilities in Google's codebase. In Android 13, Google added a developer mode boot switch to enable MTE on devices that have hardware support but do not have MTE permanently turned on. For future Android versions, Arm and Google will focus on reducing the memory used by MTE.

What do chip suppliers and equipment manufacturers think?

MTE is an inherent feature of all Armv9 CPUs. To address memory safety vulnerabilities in the software ecosystem, many Arm partners have built and enabled this feature in their chipsets. One of the first device manufacturers to use MTE is Honor, which announced that it will provide MagicOS 6.x and MagicOS 7 devices that support MTE to developers through Honor Skynet and in future DiagnosisKit tools. This strongly indicates that MTE can be enabled on mobile devices based on Armv9 technology that are about to enter the consumer market.

This achievement has begun to have a positive impact. Kuaishou is a leading content community and social platform. Kuaishou App is one of the most widely used short video and live broadcast mobile applications in China. According to the third quarter 2022 financial report data, the average daily active users of Kuaishou App are 363 million, the average monthly active users are 626 million, and Kuaishou's overseas products (Kwai and SnackVideo) have more than 160 million users. The company is currently working with Honor Skynet to use Arm MTE in large-scale projects to improve memory security. 90% of memory safety issues can be detected offline before the App is officially released, and the following benefits have been achieved: