Is it just me or does MTE fundamentally rely on pointer values being secret? Scenario: Attacker finds address of a dangling pointer, reads tag from it, then repeatedly allocates and deallocates objects in that spot until the tag matches.
Well, exposing addresses to untrusted code happens often accidentally. See ASLR bypasses…
-
-
Sure, but most exploits nowadays use the existing memory corruption exploit to form an arbitrary or out of bounds read in order to bypass ASLR. And the memory corruption wouldn’t be possible with MTE (in most cases)
-
I definitely worry about side channels like spectre v1 or something similar (timing runtime of a speculative section of code to see if the tag matches?).
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.