Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google, ARM Boost Android Security With Memory Tagging Extension

In an effort to mitigate memory safety vulnerabilities in Android, Google and chipmaker ARM have released a new hardware feature called memory tagging extension (MTE). 

In an effort to mitigate memory safety vulnerabilities in Android, Google and chipmaker ARM have released a new hardware feature called memory tagging extension (MTE). 

The feature should allow for the detection of memory safety bugs with low overhead, Google says. Overall, it should help mitigate some of the largest security issues in Android, given that memory safety issues are common in C and C++. 

Despite hardening efforts, Google explains, these type of bugs comprised over half of the high security vulnerabilities in Android 9. On top of that, they manifest as hard to diagnose reliability problems, such as crashes and data corruption. 

MTE should make detection of memory safety bugs more resource efficient. It can either execute in a precise mode, to provide more detailed information about the memory violation, or in an imprecise mode, to lower CPU overhead and enable an always-on use. 

MTE, Google says, provides a version of AddressSanitizer (ASan)/Hardware-assisted AddressSanitizer (HWASan) easier to use for testing and fuzzing in laboratory environments and is able to find more bugs in only a fraction of time, at lower costs, thus reducing the complexity of the development process. 

“In many cases, MTE will allow testing memory safety using the same binary as shipped to production. The bug reports produced by MTE will be as detailed and actionable as those from ASAN and HWASAN,” Google explains

MTE could be used as a mechanism for testing complex software scenarios in production. App developers and ORMs will be able to selectively turn on MTE for parts of the software stack, and bug reports will be available via mechanisms like Google Play Console when users give their consent.

Advertisement. Scroll to continue reading.

According to Google, MTE can be used as a strong security mitigation for many classes of memory safety bugs in the Android platform and in applications. For most instances, MTE should have a 90% or higher chance to detect invalid memory access and prevent exploitation. 

“By implementing these protections and ensuring that attackers can’t make repeated attempts to exploit security-critical components, we can significantly reduce the risk to users posed by memory safety issues,” Google says. 

Memory tagging is expected to detect the most common classes of memory safety bugs in the wild, helping with patching efforts and discourage exploitation, the Internet search giant says. 

To get Android ready for MTE, Google included support for MTE in the LLVM compiler toolchain and in the Linux kernel and also deployed HWASAN, which has uncovered close to 100 memory safety bugs. MTE is expected to greatly improve upon this in terms of overhead, ease of deployment, and scale, the company says. 

Committed to supporting MTE throughout the Android software stack, Google is working with ARM System On Chip (SoC) partners to test MTE support. The search company aims at a broader deployment of MTE in the Android software and hardware ecosystem and even considers the feature as a possible foundational requirement for certain tiers of Android devices.

Related: Android Enterprise Receives ISO 27001 Stamp

Related: Android Q Brings New Privacy and Security Features

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.