Google Security Expert Tinkers With Memory Protection on Pixel 8

Memory Protection on Pixel 8

Mark Brand, a researcher at Google's Project Zero security team, has revealed that he has enabled Memory Tagging Extensions (MTE) on his personal Google Pixel 8 smartphone. 

In his blog post titled "First handset with MTE on the market", Brand explains that he has been eager to try out MTE ever since it was announced for ARM CPUs in 2017. The recently launched Pixel 8 and 8 Pro are the first phones to support the feature.

If you don't know about MTE, then here is a brief description of it.

Memory Tagging Extensions (MTE) is a hardware-based security feature that can help to prevent memory safety vulnerabilities. It works by tagging each memory allocation with a unique identifier, and then checking that the identifier matches when the memory is accessed. This can help to detect errors such as buffer overflows and use-after-free vulnerabilities.

In short- MTE is a feature that can detect and prevent certain types of memory corruption vulnerabilities.

MTE can benefit users in a number of ways:

  1. Improved security: MTE can help to prevent a wide range of memory safety vulnerabilities, which can be exploited by attackers to gain control of a system or steal data.
  2. Increased reliability: MTE can help to reduce the number of crashes and other stability problems caused by memory safety errors.
  3. Reduced development costs: MTE can help to reduce the time and effort required to develop and test secure software.

Brand details the process he went through to enable MTE on his Pixel 8, using adb commands to configure the bootloader and set default MTE modes. 

Enabling MTE on Pixel 8/Pixel 8 Pro

Enabling MTE on an Android device requires the bootloader to reserve a portion of the device memory for storing tags. This means that there are two separate places where MTE needs to be enabled - first we need to configure the bootloader to enable it, and then we need to configure the system to use it in applications.

Here are the steps for enabling MTE on Pixel 8/Pixel 8 Pro:

  1. Enable developer mode and USB debugging on the Pixel device.
  2. Connect the phone to a computer with ADB tools installed.
  3. Use the ADB shell to run these commands:
    • setprop arm64.memtag.bootctl memtag (configures bootloader to enable MTE)

    • setprop persist.arm64.memtag.default sync (sets default MTE mode for native executables to synchronous)

    • setprop persist.arm64.memtag.app_default sync (sets default MTE mode for apps to synchronous)

    • reboot (reboots device to apply changes)
  4. Check /proc/self/smaps to confirm MTE is enabled for processes.
  5. Run a test app to verify that MTE catches bugs like use-after-free.
  6. Disable USB debugging for daily use, but leave developer mode on.

An app developer can enable MTE by using the manifest, but this system property sets the default MTE mode for apps, effectively making it opt-out instead of opt-in.

He acknowledges this is an unsupported configuration that could cause apps to crash, but says he has not experienced any issues so far.

MTE works by tagging allocated memory with a signature that is checked on each memory access. If the signature does not match, indicating potential memory corruption, the app crashes immediately. Brand demonstrates MTE catching a use-after-free bug in a simple test app.

Brand has mentioned that MTE is currently only available as a developer option on the Pixel 8, intended for app testing. 

The Tensor G3 in the Pixel 8 and Pixel 8 Pro supports Memory Tagging Extension (MTE) and also exposes it to the bootloader!

Pixel 8 and Pixel 8 Pro supports Memory Tagging Extension (MTE)

However, MTE is disabled by default and needs to be enabled by going to Settings > System > Developer options > MEmory Tagging Extension.

Android 14's new "advanced memory protection" toggle under Settings > Security & privacy > More security & privacy isn't accessible by default on the Pixel 8 series. This page has to be manually surfaced by setting a certain system property. - said @MishaalRahman

Brand has enabled it in "synchronous mode" for all apps to get the full security benefit. He suggests MTE could make zero-day exploits harder by detecting memory unsafe C/C++ code.

While the unsupported MTE configuration could cause app stability issues, Brand's post highlights an important security innovation. 

Widespread adoption of memory tagging in mobile chips and OSes could eliminate entire classes of vulnerabilities. Brand's willingness to experiment may motivate further development and research into robust MTE implementations.

Read Also
Post a Comment