researchers find an unfixable bug in EVERY ARM cpu

Modern day computing is too unsafe lets all go be amish.

WarDucc

Every time I hear the phrase 'speculative excution', I am reminded of what a late friend of mine used to say: "CPU designs should never incorporate speculative execution or branch prediction. They will inevitably lead to security vulnerabilities." He was also a big fan of the ARM architecture, because it did not use to do this thing. He passed away about fifteen years ago, but as it turns out he was right...

damouze

"There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors." (Leon Bambrick)

KvapuJanjalia

people that figure this stuff out are so amazing. like I understand it, after you explain it, and am like "yep I get it, " but I could never actually figure it out beforehand or even consider that it exists.

c.ladimore

My God. I guess time to check off "security vulnerability found in something you worked on" off my bucket list.

I was an intern at Arm, on the team that worked on MTE. I did some work around the generation of the tags, and on simulating the overhead they would have in caches and memory.

I have such mixed feelings right now. :D

This seems like something we could have thought of. Meltdown and Spectre were fresh on our minds and a major topic of discussion in the company. I can imagine an alternate universe where I told my manager (or someone else on the team) "hey, have we thought about if tag mismatches could be a cache side channel?" Yet I don't think we ever discussed anything related to this? At least not in any of the meetings I was in.

But hindsight is 20/20. In retrospect, these things always seem obvious.

We were mostly focused on minimizing the performance overhead of memory tagging, because we were worried it would get in the way of adoption. We wanted our new optional security features to be supported by hardware manufacturers, who might not be happy with there was too much perf or memory overhead, extra hardware complexity, or cost / die area increase.

Though, I guess, despite this new vulnerability, it still delivers on its goals. MTE was supposed to be something that offers substantial security improvements for cheap. A "better than nothing" optional feature which, when enabled, has a good chance of catching some bugs that might not be found otherwise. It is probabilistic: even if it worked perfectly, there is still a small chance a memory bug might go undetected by it (if different allocations happen to be assigned the same tag by chance). It was not meant to be perfect, or any sort of bulletproof defense. Just a way to hopefully catch more bugs in the wild. If a vulnerability makes it less effective, that's still better than every other CPU that does not have something like MTE at all.

inodedentry

Weeks ago UEFI, now ARM last year I joked about hardware backdoors this year

skacper

I am a (retired) professional programmer. I never wanted my programs to run as fast as possible. I wanted them to run as reliably as possible, i.e. rock-solid reliably. I have seen countless examples of programmers being led astray by the siren song of premature optimization.

GH-oijf

Misleading title, there are ARM "chips" that do not have these extension, a lot of them even do not support virtual memory

Krawacikd

Great breakdown! Not surprised to see that speculative execution is causing vulnerabilities on more than just x86 - really feels like it was only a matter of time before something like this was uncovered. The way it was done, though, is absolutely wild.

alphabitserial

Every time I hear Speculative Execution is about about a security vulnerability

ameknite

OK, interesting, but this is a way to defeat a secondary defence. The program still has to contain an exploitable memory corruption in the first place. I think describing it as an unfixable bug is to some extent click-bait.

sylviaelse

You have in my opinion some of the best content over hosted on YouTube. If this existed in 2004 my early programmer self would have had a much easier time learning how to exploit for fun ;).

aleckaczmarek

If you can run arbitrary tik tag code on the cpu, you don't need to break the memory tagging, just run whatever arbitrary code you want on the cpu.

anthonybachler

CPU vulnerabilities usually need relatively low hardware access in order to work.
But when I heard you saying somebody managed to exploit it from within V8 (being a web dev) it literally just hit me - We're f**d.
JS isn't as much of a toy these days. You can easily manipulate raw binary data in JavaScript. Some more tinkering and this would easily escalate to a sandbox escape and really, really low-level code injection... From within a browser...

shapelessed

Access to leaked tags doesn't ensure exploitation. It simply means that an attacker capable of exploiting a particular memory bug on an affected device wouldn't be thwarted by MTE.

ivankalinin

V8 engine screams to me : "you can do this on your phone right now"

justincondello

My jaw dropped when you said it works inside the V8 sandbox. Bless the researchers for finding this.

AngryKnees

IA64 had a ton of problems, but I really believe that explicit speculation was a great idea. So many of these attacks would be impossible on Itanium. (Insert joke about them not being attacked because no one used them)

jmickeyd

The way you explain in these videos even a golden retriever can grok these topics. No pun intended

Little-bird-told-me

There's a lot of 'IF's in there. If you can find the right code, if you can find the tag, if you can change it, if... if.. if...
Whilst this is a possible route for an attack has anyone actually used this in the real world, not just in the research lab.

kevintedder