News

Google Taps Arm's Memory Tagging to Fight Android Bugs

• By David Ramel
• August 6, 2019

With memory-safety bugs continuing to haunt developers of all types -- especially those using C++ -- Google will borrow from Arm's memory tagging scheme to harden its Android mobile platform development.

The Arm architecture last year adopted memory tagging, a hardware feature that assigns a tag to each allocation of memory, such that all accesses to that memory must be made with the use of a pointer that includes the correct tag. The use of a pointer with an incorrect tag for the memory allocation causes errors that can be used in developer testing or to provide feedback to developers in real-world usage.

Noting that memory safety bugs are one of the largest sources of Android vulnerabilities, Google said it will work with Arm to create a memory tagging extension (MTE) for usage modes such as:

• MTE provides a version of ASAN/HWASAN (Hardware-assisted AddressSanitizer) that is easier to use for testing and fuzzing in laboratory environments. It will find more bugs in a fraction of the time and at a lower cost, reducing the complexity of the development process. In many cases, MTE will allow testing memory safety using the same binary as shipped to production. The bug reports produced by MTE will be as detailed and actionable as those from ASAN and HWASAN.
• MTE will be used as a mechanism for testing complex software scenarios in production. App developers and OEMs will be able to selectively turn on MTE for parts of the software stack. Where users have provided consent, bug reports will be available to developers via familiar mechanisms like Google Play Console.
• MTE can be used as a strong security mitigation in the Android System and applications for many classes of memory safety bugs. For most instances of such vulnerabilities, a probabilistic mitigation based on MTE could prevent exploitation with a higher than 90 percent chance of detecting each invalid memory access. By implementing these protections and ensuring that attackers can't make repeated attempts to exploit security-critical components, we can significantly reduce the risk to users posed by memory safety issues.

"We believe that memory tagging will detect the most common classes of memory safety bugs in the wild, helping vendors identify and fix them, discouraging malicious actors from exploiting them," Google said in an Aug. 2 post. "During the past year, our team has been working to ensure readiness of the Android platform and application software for MTE. We have deployed HWASAN, a software implementation of the memory tagging concept, to test our entire platform and a few select apps. This deployment has uncovered close to 100 memory safety bugs. The majority of these bugs were detected on HWASAN enabled phones in everyday use. MTE will greatly improve upon this in terms of overhead, ease of deployment, and scale.

"In parallel, we have been working on supporting MTE in the LLVM compiler toolchain and in the Linux kernel. The Android platform support for MTE will be complete by the time of silicon availability."

Google isn't the only major tech company turning its attention to memory safety bugs commonly associated with C++. Microsoft, which creates many of its flagship enterprise apps and much other software with C++, recently announced it was investigating the possibility of moving to a safer alternative, such as Rust, which it said includes many of the benefits of C++ while incorporating built-in memory safety.