Memory Safety in Android
Hardware security features in Pixel 8 and beyond.
Background
Memory safety issues account for more than half of the high and critical security issues in Android. The Android documentation outlines the existing approaches to address this including through hardware, compilers, and memory safe languages like Rust.
New hardware security features
Pixel 8 was launched today. It’s most likely (pending verification) the first Pixel phone with hardware support for Memory Tagging Extension (MTE) and Branch Target Indicators (BTI). MTE and BTI arrived in ARM v8.5-A/v9-A and are designed to improve memory safety. ARM v8.5-A was announced back in 2018, so it’s taken some time to get these features into the Pixel lineup. Android 14 appears to have support for MTE through a new user facing setting (there is also developer documentation). It’s unclear if BTI is supported.
Pointer Authentication Code (PAC), that arrived in ARM v8.3-A, has been bypassed, including in a recent attack in Egypt. Both PAC and MTE employ probabilistic defenses that can be defeated by speculative execution side-channels like Spectre. Google Project Zero has reviewed MTE and concluded: “Despite its limitations, MTE is still by far the most promising path forward for improving C/C++ software security in 2023.” Time will show how effective MTE will be in practice.
Upcoming hardware security features
Enhancements to PAC were added to ARM v8.8-A/v9.3-A. Guarded Control Stack (GCS) was added to ARM v9.4-A. GCS is ARM’s version of shadow stacks, and support is being worked on for the Linux kernel.
The CHERI on top
While the new features added to ARM v8-A/v9-A are great, they are intended to increase the cost of memory safety exploits, while being backwards compatible, rather than eliminate them. The long term solution in development is Capability Hardware Enhanced RISC Instructions (CHERI), a project started back in 2010. The main idea is to be able to take memory unsafe languages like C, recompile them for the new hardware architecture, and then get something that is guaranteed to be memory safe - and with acceptable performance. It’s a collaboration between Cambridge University, SRI, ARM and others, and has received support from the UK, the US, and the EU. After more than a decade of research, actual hardware supporting the new features was released in 2022 with the Morello development board.
Hopefully we will see significant improvements to memory safety for mainstream devices in the next few years.