Dice Question Streamline Icon: https://streamlinehq.com

Constructibility of a TIKTAG-v1 gadget in V8

Determine whether a TIKTAG-v1 speculative Memory Tagging Extension (MTE) tag-leakage gadget can be constructed within the V8 JavaScript engine under the constraints of the speculative V8 sandbox escape technique described in Appendix A, given that TIKTAG-v1 requires a tight timing window between the conditional branch (BR) and the tag-checking loads (CHECK) to induce speculation shrinkage and leak tags.

Information Square Streamline Icon: https://streamlinehq.com

Background

The paper introduces two speculative execution gadgets, TIKTAG-v1 and TIKTAG-v2, that can leak ARM MTE tags. TIKTAG-v1 relies on inducing speculation shrinkage via closely timed tag checks after a mispredicted branch, while TIKTAG-v2 exploits store-to-load forwarding differences.

In the V8 environment, the authors successfully constructed TIKTAG-v2 but report that TIKTAG-v1 could not be constructed due to the tight timing constraints between BR and CHECK in their speculative V8 sandbox escape technique. This raises a concrete unresolved question about whether such a gadget can be realized in V8 given the timing requirements and JIT-compiled code paths.

References

However, we didn't find a constructible TIKTAG-v1 gadget, since the tight timing constraint between BR and CHECK was not feasible in our speculative V8 sandbox escape technique (§A).

TikTag: Breaking ARM's Memory Tagging Extension with Speculative Execution (2406.08719 - Kim et al., 13 Jun 2024) in Section 6.1.2