Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google, ARM Boost Android Security With Memory Tagging Extension

In an effort to mitigate memory safety vulnerabilities in Android, Google and chipmaker ARM have released a new hardware feature called memory tagging extension (MTE). 

In an effort to mitigate memory safety vulnerabilities in Android, Google and chipmaker ARM have released a new hardware feature called memory tagging extension (MTE). 

The feature should allow for the detection of memory safety bugs with low overhead, Google says. Overall, it should help mitigate some of the largest security issues in Android, given that memory safety issues are common in C and C++. 

Despite hardening efforts, Google explains, these type of bugs comprised over half of the high security vulnerabilities in Android 9. On top of that, they manifest as hard to diagnose reliability problems, such as crashes and data corruption. 

MTE should make detection of memory safety bugs more resource efficient. It can either execute in a precise mode, to provide more detailed information about the memory violation, or in an imprecise mode, to lower CPU overhead and enable an always-on use. 

MTE, Google says, provides a version of AddressSanitizer (ASan)/Hardware-assisted AddressSanitizer (HWASan) easier to use for testing and fuzzing in laboratory environments and is able to find more bugs in only a fraction of time, at lower costs, thus reducing the complexity of the development process. 

“In many cases, MTE will allow testing memory safety using the same binary as shipped to production. The bug reports produced by MTE will be as detailed and actionable as those from ASAN and HWASAN,” Google explains

Advertisement. Scroll to continue reading.

MTE could be used as a mechanism for testing complex software scenarios in production. App developers and ORMs will be able to selectively turn on MTE for parts of the software stack, and bug reports will be available via mechanisms like Google Play Console when users give their consent.

According to Google, MTE can be used as a strong security mitigation for many classes of memory safety bugs in the Android platform and in applications. For most instances, MTE should have a 90% or higher chance to detect invalid memory access and prevent exploitation. 

“By implementing these protections and ensuring that attackers can’t make repeated attempts to exploit security-critical components, we can significantly reduce the risk to users posed by memory safety issues,” Google says. 

Memory tagging is expected to detect the most common classes of memory safety bugs in the wild, helping with patching efforts and discourage exploitation, the Internet search giant says. 

To get Android ready for MTE, Google included support for MTE in the LLVM compiler toolchain and in the Linux kernel and also deployed HWASAN, which has uncovered close to 100 memory safety bugs. MTE is expected to greatly improve upon this in terms of overhead, ease of deployment, and scale, the company says. 

Committed to supporting MTE throughout the Android software stack, Google is working with ARM System On Chip (SoC) partners to test MTE support. The search company aims at a broader deployment of MTE in the Android software and hardware ecosystem and even considers the feature as a possible foundational requirement for certain tiers of Android devices.

Related: Android Enterprise Receives ISO 27001 Stamp

Related: Android Q Brings New Privacy and Security Features

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.