←back to thread

Memory Integrity Enforcement

(security.apple.com)
476 points circuit | 1 comments | 09 Sep 25 18:25 UTC | HN request time: 0.389s | source
Show context
LeakedCanary ◴[10 Sep 25 03:14 UTC] No.45192762[source]
> ... With Enhanced MTE, we instead specify that accessing non-tagged memory from a tagged memory region requires knowing that region’s tag, ...

I got a bit confused when reading this. What does it mean to "know the tag" if the memory region is untagged?

replies(1): >>45192994 #
axoltl ◴[10 Sep 25 03:47 UTC] No.45192994[source]
I believe they mean the source region's tag, rather than the destination.
replies(1): >>45199295 #
1. LeakedCanary ◴[10 Sep 25 15:38 UTC] No.45199295[source]
Not sure if I understand this correctly:

If an attacker somehow gains out-of-bounds write capability for a tagged memory region (via a pointer that points to that region, I assume), they could potentially write into a non-tagged memory region. Since the destination region is untagged, there would be no tag check against the pointer’s tag, effectively bypassing EMTE.

> I believe they mean the source region's tag, rather than the destination.

But in the previous case, the pointer the attacker uses should already carry the source region’s tag, so it’s still unclear if this is what they meant.

I’m not sure which attack scenario they had in mind when they said this. It would help if they provided a concrete attack example.