According to Google, more than half of the highest priority security vulnerabilities faced by Android 9 Pie have been due to memory safety bugs. New features in Android Q such as IntSan instrumentation are designed to mitigate against such problems, but there's only so much that can be achieved by software alone. Google has therefore teamed up with chip-maker Arm to develop a new hardware feature called the memory tagging extension (MTE).
Memory safety bugs are common in languages such as C and C++ that are used in the development of Android apps, and they're notoriously difficult to diagnose. It's hoped that MTE will enable easier detection with considerably lower overheads. MTE has two execution modes, outlined below:
- Precise mode: Provides more detailed information about the memory violation
- Imprecise mode: Has lower CPU overhead and is more suitable to be always-on.
With MTE, it will be possible to mimic pre-existing tools like ASAN and HWASAN for much faster, cheaper, and more easily scalable memory vulnerability detection. It's also more dynamic and flexible, allowing for high accuracy reporting at any stage of the development process. It should also allow developers to patch memory bugs before deployment more often than before, reducing the risk of exploits even further.
By the time MTE makes its way into a consumer-ready product, Android will be set up to support it. Google is also considering making it a requirement for certain Android devices in the future. Head to either of the source links below to learn more about MTE and its benefits.