LeakedCanary
Joined 3 karma
- > ... With Enhanced MTE, we instead specify that accessing non-tagged memory from a tagged memory region requires knowing that region’s tag, ...
I got a bit confused when reading this. What does it mean to "know the tag" if the memory region is untagged?
- I tend to disagree with the following sentence mentioned in the article:
> One hypothesis is instruction-level parallelism
This is Python code, whose execution has a massive gap to the actual CPU instructions executed. The experiment result feels more like something related to the memory cache.
If an attacker somehow gains out-of-bounds write capability for a tagged memory region (via a pointer that points to that region, I assume), they could potentially write into a non-tagged memory region. Since the destination region is untagged, there would be no tag check against the pointer’s tag, effectively bypassing EMTE.
> I believe they mean the source region's tag, rather than the destination.
But in the previous case, the pointer the attacker uses should already carry the source region’s tag, so it’s still unclear if this is what they meant.
I’m not sure which attack scenario they had in mind when they said this. It would help if they provided a concrete attack example.