Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google, ARM Boost Android Security With Memory Tagging Extension

In an effort to mitigate memory safety vulnerabilities in Android, Google and chipmaker ARM have released a new hardware feature called memory tagging extension (MTE). 

In an effort to mitigate memory safety vulnerabilities in Android, Google and chipmaker ARM have released a new hardware feature called memory tagging extension (MTE). 

The feature should allow for the detection of memory safety bugs with low overhead, Google says. Overall, it should help mitigate some of the largest security issues in Android, given that memory safety issues are common in C and C++. 

Despite hardening efforts, Google explains, these type of bugs comprised over half of the high security vulnerabilities in Android 9. On top of that, they manifest as hard to diagnose reliability problems, such as crashes and data corruption. 

MTE should make detection of memory safety bugs more resource efficient. It can either execute in a precise mode, to provide more detailed information about the memory violation, or in an imprecise mode, to lower CPU overhead and enable an always-on use. 

MTE, Google says, provides a version of AddressSanitizer (ASan)/Hardware-assisted AddressSanitizer (HWASan) easier to use for testing and fuzzing in laboratory environments and is able to find more bugs in only a fraction of time, at lower costs, thus reducing the complexity of the development process. 

“In many cases, MTE will allow testing memory safety using the same binary as shipped to production. The bug reports produced by MTE will be as detailed and actionable as those from ASAN and HWASAN,” Google explains

MTE could be used as a mechanism for testing complex software scenarios in production. App developers and ORMs will be able to selectively turn on MTE for parts of the software stack, and bug reports will be available via mechanisms like Google Play Console when users give their consent.

According to Google, MTE can be used as a strong security mitigation for many classes of memory safety bugs in the Android platform and in applications. For most instances, MTE should have a 90% or higher chance to detect invalid memory access and prevent exploitation. 

“By implementing these protections and ensuring that attackers can’t make repeated attempts to exploit security-critical components, we can significantly reduce the risk to users posed by memory safety issues,” Google says. 

Memory tagging is expected to detect the most common classes of memory safety bugs in the wild, helping with patching efforts and discourage exploitation, the Internet search giant says. 

To get Android ready for MTE, Google included support for MTE in the LLVM compiler toolchain and in the Linux kernel and also deployed HWASAN, which has uncovered close to 100 memory safety bugs. MTE is expected to greatly improve upon this in terms of overhead, ease of deployment, and scale, the company says. 

Committed to supporting MTE throughout the Android software stack, Google is working with ARM System On Chip (SoC) partners to test MTE support. The search company aims at a broader deployment of MTE in the Android software and hardware ecosystem and even considers the feature as a possible foundational requirement for certain tiers of Android devices.

Related: Android Enterprise Receives ISO 27001 Stamp

Related: Android Q Brings New Privacy and Security Features

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...