서울대학교 공과대학 전기정보공학부 이병영 교수 연구팀이 영국의 반도체 설계 기업 ARM 계열 CPU에 내장된 MTE (Memory Tagging Extensions, 메모리 태깅 확장) 기능의 보안 취약점을 발견했다.
▲(From left) First author, student Joohee Kim, corresponding author, Professor Byeongyoung Lee
Google Pixel phones and other Android phones are at increased risk of hacking
Seoul National University has discovered a security vulnerability in ARM CPUs that increases the risk of hacking Android phones such as Google Pixel phones, proving the need for a solution to the smartphone memory protection problem.
Seoul National University's College of Engineering announced on the 26th that a research team led by Professor Lee Byung-young of the Department of Electrical and Information Engineering discovered a security vulnerability in the MTE (Memory Tagging Extensions) function built into CPUs from the ARM series of British semiconductor design companies.
The results of this study, jointly conducted by the Systems and Software Security Laboratory of the Department of Electrical and Computer Engineering at Seoul National University and researchers at Samsung Research, were presented in a paper titled 'Bypassing ARM's Memory Tagging Extension with a Side-Channel Attack' at the global cybersecurity conference 'BlackHat USA 2024' held in Las Vegas, USA on the 9th.
The paper was published on the pre-release site arXiv in July, and a video covering the paper on the overseas YouTube channel 'Low Level Learning', which is renowned for its in-depth computer and programming education content, has currently garnered over 500,000 views, drawing attention from the industry.
The MTE feature, which is installed in many Android-based smartphones, including Google’s Pixel 8 and Pixel 8 Pro, for hardware security, is a technology introduced by ARM in 2018. It plays a critical role in maintaining smartphone security as it detects memory safety violations and defends devices from attacks by bugs that exploit memory defects.
The research team found that MTE is vulnerable to a 'speculative execution attack' similar to existing techniques such as Spectre and Meltdown. A speculative execution attack is an attack method that exploits a speculative execution technique in which the CPU predicts the program path and performs work in advance to increase speed. In other words, if the program takes a different path, the predicted results are automatically removed, and this attack method exploits the security vulnerability exposed during this process.
The researchers then discovered a technique to bypass MTE's security detection and used it to prove a vulnerability in the Android kernel by extracting the MTE tag of a specific memory address with a high probability of over 95% within 4 seconds. If the security of the MTE protecting the Chrome browser and the Linux kernel is compromised in this way, the system will be at greater risk of being hacked.
Professor Lee Byung-young, who was in charge of the research process, said, “Most Android-based smartphones are equipped with the Chrome browser and the Linux kernel, so it is absolutely necessary to find a solution to resolve the security vulnerability of MTE, which is directly related to smartphone memory security.” He added, “Not only did ARM acknowledge the research team’s discovery and mention it in the developer’s note, but the Google Android security team also offered the research team a bug bounty and decided to quickly resolve the security vulnerability issue in the Pixel 8 device. This research outcome is encouraging.”
Meanwhile, the future career paths and unique backgrounds of the graduate students from the Department of Electrical and Information Engineering who participated in this research as members of the Seoul National University System and Software Security Laboratory are also attracting attention from the academic world.
The first author of the paper, Joohee Kim, is conducting various research on ARM MTE attacks and defenses. In particular, during this research process, she actively communicated with Google engineers in charge of Chrome, Android, and the Linux kernel, and took on the role of sharing verified research results with Google.
Co-author Jaeyoung Jeong, as the president of the Seoul National University hacking club Guardian, has led undergraduate students' security and hacking-related activities. He achieved the feat of advancing to the finals of the 'DEFCON International Hacking Competition (DEFCON CTF 32)' held in Las Vegas, USA from the 9th to the 11th.
Co-author Youngju Lee is a special case in that he obtained his bachelor's degree through the credit bank system without going through a regular university and entered the graduate school of the Department of Electrical and Information Engineering at Seoul National University. He has demonstrated excellent hacking skills since he was a high school student, reporting vulnerabilities in famous open source programs and advancing to the finals of the Defcon competition several times. Additionally, in the first half of this year, he conducted visiting research in the laboratory of Professor Xinyu Xing at Northwestern University in the United States, and is scheduled to participate as a member of the team in the semi-finals of the 'AI Cyber Challenge (AIxCC)' hosted by the U.S. Department of Defense this year.