CINXE.COM

<!DOCTYPE html> <html class='v2' dir='ltr' lang='en' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'> <head> <link href='https://www.blogger.com/static/v1/widgets/3566091532-css_bundle_v2.css' rel='stylesheet' type='text/css'/> <meta content='width=1100' name='viewport'/> <meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/> <meta content='blogger' name='generator'/> <link href='https://googleprojectzero.blogspot.com/favicon.ico' rel='icon' type='image/x-icon'/> <link href='https://googleprojectzero.blogspot.com/2023/08/' rel='canonical'/> <link rel="alternate" type="application/atom+xml" title="Project Zero - Atom" href="https://googleprojectzero.blogspot.com/feeds/posts/default" /> <link rel="alternate" type="application/rss+xml" title="Project Zero - RSS" href="https://googleprojectzero.blogspot.com/feeds/posts/default?alt=rss" /> <link rel="service.post" type="application/atom+xml" title="Project Zero - Atom" href="https://www.blogger.com/feeds/4838136820032157985/posts/default" />  <meta content='https://googleprojectzero.blogspot.com/2023/08/' property='og:url'/> <meta content='Project Zero' property='og:title'/> <meta content='News and updates from the Project Zero team at Google' property='og:description'/> <title>Project Zero: August 2023</title> <style type='text/css'>@font-face{font-family:'Open Sans';font-style:normal;font-weight:400;font-stretch:normal;font-display:swap;src:url(//fonts.gstatic.com/s/opensans/v40/memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVY.eot);}</style> <style id='page-skin-1' type='text/css'></style> <style id='template-skin-1' type='text/css'></style> <script type='text/javascript'> (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','https://www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-240546891-1', 'auto', 'blogger'); ga('blogger.send', 'pageview'); </script> <link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=4838136820032157985&zx=3cb21957-399d-4e35-b09a-94810a1f05a3' media='none' onload='if(media!='all')media='all'' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=4838136820032157985&zx=3cb21957-399d-4e35-b09a-94810a1f05a3' rel='stylesheet'/></noscript> <meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/> <meta name='google-adsense-platform-domain' content='blogspot.com'/> </head> <body class='loading'> <div class='navbar section' id='navbar' name='Navbar'><div class='widget Navbar' data-version='1' id='Navbar1'><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/platform.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d4838136820032157985\x26blogName\x3dProject+Zero\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dLIGHT\x26layoutType\x3dLAYOUTS\x26searchRoot\x3dhttps://googleprojectzero.blogspot.com/search\x26blogLocale\x3den\x26v\x3d2\x26homepageUrl\x3dhttps://googleprojectzero.blogspot.com/\x26vt\x3d7568236161501195533', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe", messageHandlersFilter: gapi.iframes.CROSS_ORIGIN_IFRAMES_FILTER, messageHandlers: { 'blogger-ping': function() {} } }); } }); </script><script type="text/javascript"> (function() { var script = document.createElement('script'); script.type = 'text/javascript'; script.src = '//pagead2.googlesyndication.com/pagead/js/google_top_exp.js'; var head = document.getElementsByTagName('head')[0]; if (head) { head.appendChild(script); }})(); </script> </div></div> <div class='body-fauxcolumns'> <div class='fauxcolumn-outer body-fauxcolumn-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </div> <div class='content'> <div class='content-fauxcolumns'> <div class='fauxcolumn-outer content-fauxcolumn-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </div> <div class='content-outer'> <div class='content-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left content-fauxborder-left'> <div class='fauxborder-right content-fauxborder-right'></div> <div class='content-inner'> <header> <div class='header-outer'> <div class='header-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left header-fauxborder-left'> <div class='fauxborder-right header-fauxborder-right'></div> <div class='region-inner header-inner'> <div class='header section' id='header' name='Header'><div class='widget Header' data-version='1' id='Header1'> <div id='header-inner'> <div class='titlewrapper'> <h1 class='title'> <a href='https://googleprojectzero.blogspot.com/'> Project Zero </a> </h1> </div> <div class='descriptionwrapper'> News and updates from the Project Zero team at Google </div> </div> </div></div> </div> </div> <div class='header-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </header> <div class='tabs-outer'> <div class='tabs-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left tabs-fauxborder-left'> <div class='fauxborder-right tabs-fauxborder-right'></div> <div class='region-inner tabs-inner'> <div class='tabs no-items section' id='crosscol' name='Cross-Column'></div> <div class='tabs no-items section' id='crosscol-overflow' name='Cross-Column 2'></div> </div> </div> <div class='tabs-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <div class='main-outer'> <div class='main-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left main-fauxborder-left'> <div class='fauxborder-right main-fauxborder-right'></div> <div class='region-inner main-inner'> <div class='columns fauxcolumns'> <div class='fauxcolumn-outer fauxcolumn-center-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <div class='fauxcolumn-outer fauxcolumn-left-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <div class='fauxcolumn-outer fauxcolumn-right-outer'> <div class='cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left'> <div class='fauxborder-right'></div> <div class='fauxcolumn-inner'> </div> </div> <div class='cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div>  <div class='columns-inner'> <div class='column-center-outer'> <div class='column-center-inner'> <div class='main section' id='main' name='Main'><div class='widget Blog' data-version='1' id='Blog1'> <div class='blog-posts hfeed'> <div class="date-outer"> <h2 class='date-header'>Wednesday, August 2, 2023</h2> <div class="date-posts"> <div class='post-outer'> <div class='post hentry uncustomized-post-template' itemprop='blogPost' itemscope='itemscope' itemtype='http://schema.org/BlogPosting'> <meta content='https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMHoNMKuGPvlidYVL_BUOhGiFYegcPW4BPK5erQcRBgrGaGbM4UPEfThNtiYN-EB7c0jBdMcBr8OXGebX3tuEHd581P-6YuQTQAXvu3bt_6ZZn3UpN15InQCZNpu7J6tJKpIQvmIAWXWwg4fnRu5JrrkAfZVwn61YfloEdgHjXNbdC5DX05Z1L_fRx/s1200/image1.png' itemprop='image_url'/> <meta content='4838136820032157985' itemprop='blogId'/> <meta content='1349463988498930341' itemprop='postId'/> <a name='1349463988498930341'></a> <h3 class='post-title entry-title' itemprop='name'> <a href='https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-1.html'>MTE As Implemented, Part 1: Implementation Testing</a> </h3> <div class='post-header'> <div class='post-header-line-1'></div> </div> <div class='post-body entry-content' id='post-body-1349463988498930341' itemprop='description articleBody'> <style type="text/css">@import url(https://themes.googleusercontent.com/fonts/css?kit=cGvuclDC_Z1vE_cnVEU6AbvdjsQquauI-GoInd1DzsRjfxSl7duaBsON8MRB32eGNP6BCxV-AQSEvP01Vpd9xT0e5qzIIUg9OvSRGeMDk3I);.lst-kix_exl34y7adtul-6>li{counter-increment:lst-ctn-kix_exl34y7adtul-6}.lst-kix_s8b3u49h11dr-4>li:before{content:"- "}.lst-kix_s8b3u49h11dr-6>li:before{content:"- "}.lst-kix_w66ctsc8735u-5>li{counter-increment:lst-ctn-kix_w66ctsc8735u-5}.lst-kix_s8b3u49h11dr-3>li:before{content:"- "}.lst-kix_s8b3u49h11dr-7>li:before{content:"- "}.lst-kix_7336pfhg38rf-8>li{counter-increment:lst-ctn-kix_7336pfhg38rf-8}ol.lst-kix_w66ctsc8735u-1.start{counter-reset:lst-ctn-kix_w66ctsc8735u-1 0}.lst-kix_s8b3u49h11dr-5>li:before{content:"- "}ol.lst-kix_pmivlm2h8rwq-6.start{counter-reset:lst-ctn-kix_pmivlm2h8rwq-6 0}.lst-kix_cm1sbgja1sfy-8>li:before{content:"- "}.lst-kix_21mujycf9tm5-2>li{counter-increment:lst-ctn-kix_21mujycf9tm5-2}.lst-kix_s8b3u49h11dr-8>li:before{content:"- "}ol.lst-kix_21mujycf9tm5-4.start{counter-reset:lst-ctn-kix_21mujycf9tm5-4 0}.lst-kix_cm1sbgja1sfy-1>li:before{content:"- "}.lst-kix_cm1sbgja1sfy-3>li:before{content:"- "}ol.lst-kix_7336pfhg38rf-7.start{counter-reset:lst-ctn-kix_7336pfhg38rf-7 0}.lst-kix_cm1sbgja1sfy-0>li:before{content:"- "}.lst-kix_cm1sbgja1sfy-4>li:before{content:"- "}.lst-kix_cm1sbgja1sfy-5>li:before{content:"- "}.lst-kix_cm1sbgja1sfy-7>li:before{content:"- "}.lst-kix_pmivlm2h8rwq-6>li{counter-increment:lst-ctn-kix_pmivlm2h8rwq-6}.lst-kix_cm1sbgja1sfy-6>li:before{content:"- "}.lst-kix_21mujycf9tm5-4>li{counter-increment:lst-ctn-kix_21mujycf9tm5-4}ol.lst-kix_pmivlm2h8rwq-0.start{counter-reset:lst-ctn-kix_pmivlm2h8rwq-0 0}ol.lst-kix_exl34y7adtul-4.start{counter-reset:lst-ctn-kix_exl34y7adtul-4 0}ol.lst-kix_7336pfhg38rf-1.start{counter-reset:lst-ctn-kix_7336pfhg38rf-1 0}.lst-kix_exl34y7adtul-4>li{counter-increment:lst-ctn-kix_exl34y7adtul-4}.lst-kix_w66ctsc8735u-7>li{counter-increment:lst-ctn-kix_w66ctsc8735u-7}.lst-kix_7336pfhg38rf-6>li{counter-increment:lst-ctn-kix_7336pfhg38rf-6}.lst-kix_cm1sbgja1sfy-2>li:before{content:"- "}ol.lst-kix_7336pfhg38rf-6.start{counter-reset:lst-ctn-kix_7336pfhg38rf-6 0}ol.lst-kix_w66ctsc8735u-6.start{counter-reset:lst-ctn-kix_w66ctsc8735u-6 0}ol.lst-kix_w66ctsc8735u-0.start{counter-reset:lst-ctn-kix_w66ctsc8735u-0 23}ol.lst-kix_exl34y7adtul-5.start{counter-reset:lst-ctn-kix_exl34y7adtul-5 0}ol.lst-kix_7336pfhg38rf-0.start{counter-reset:lst-ctn-kix_7336pfhg38rf-0 0}ol.lst-kix_exl34y7adtul-0.start{counter-reset:lst-ctn-kix_exl34y7adtul-0 0}.lst-kix_7336pfhg38rf-4>li{counter-increment:lst-ctn-kix_7336pfhg38rf-4}ol.lst-kix_pmivlm2h8rwq-1{list-style-type:none}.lst-kix_pmivlm2h8rwq-4>li{counter-increment:lst-ctn-kix_pmivlm2h8rwq-4}ol.lst-kix_pmivlm2h8rwq-0{list-style-type:none}.lst-kix_exl34y7adtul-2>li{counter-increment:lst-ctn-kix_exl34y7adtul-2}.lst-kix_exl34y7adtul-8>li{counter-increment:lst-ctn-kix_exl34y7adtul-8}ol.lst-kix_pmivlm2h8rwq-5.start{counter-reset:lst-ctn-kix_pmivlm2h8rwq-5 0}ol.lst-kix_pmivlm2h8rwq-8{list-style-type:none}ol.lst-kix_pmivlm2h8rwq-7{list-style-type:none}ol.lst-kix_pmivlm2h8rwq-6{list-style-type:none}ol.lst-kix_pmivlm2h8rwq-5{list-style-type:none}ol.lst-kix_pmivlm2h8rwq-4{list-style-type:none}ol.lst-kix_pmivlm2h8rwq-3{list-style-type:none}ol.lst-kix_pmivlm2h8rwq-2{list-style-type:none}ol.lst-kix_21mujycf9tm5-5.start{counter-reset:lst-ctn-kix_21mujycf9tm5-5 0}ol.lst-kix_w66ctsc8735u-7.start{counter-reset:lst-ctn-kix_w66ctsc8735u-7 0}.lst-kix_7336pfhg38rf-7>li:before{content:"" counter(lst-ctn-kix_7336pfhg38rf-7,lower-latin) ". "}.lst-kix_exl34y7adtul-0>li{counter-increment:lst-ctn-kix_exl34y7adtul-0}.lst-kix_7336pfhg38rf-1>li:before{content:"" counter(lst-ctn-kix_7336pfhg38rf-1,lower-latin) ". "}ol.lst-kix_7336pfhg38rf-8.start{counter-reset:lst-ctn-kix_7336pfhg38rf-8 0}ol.lst-kix_exl34y7adtul-3.start{counter-reset:lst-ctn-kix_exl34y7adtul-3 0}.lst-kix_pmivlm2h8rwq-1>li:before{content:"" counter(lst-ctn-kix_pmivlm2h8rwq-1,lower-latin) ". "}ol.lst-kix_w66ctsc8735u-8.start{counter-reset:lst-ctn-kix_w66ctsc8735u-8 0}ol.lst-kix_21mujycf9tm5-2{list-style-type:none}ol.lst-kix_exl34y7adtul-1{list-style-type:none}ol.lst-kix_21mujycf9tm5-1{list-style-type:none}ol.lst-kix_exl34y7adtul-2{list-style-type:none}ol.lst-kix_21mujycf9tm5-0{list-style-type:none}ol.lst-kix_exl34y7adtul-0{list-style-type:none}ol.lst-kix_exl34y7adtul-5{list-style-type:none}ol.lst-kix_exl34y7adtul-6{list-style-type:none}ol.lst-kix_exl34y7adtul-3{list-style-type:none}ol.lst-kix_exl34y7adtul-4{list-style-type:none}ol.lst-kix_21mujycf9tm5-8{list-style-type:none}ol.lst-kix_21mujycf9tm5-7{list-style-type:none}ol.lst-kix_21mujycf9tm5-6{list-style-type:none}ol.lst-kix_21mujycf9tm5-5{list-style-type:none}ol.lst-kix_21mujycf9tm5-4{list-style-type:none}ol.lst-kix_21mujycf9tm5-3{list-style-type:none}.lst-kix_w66ctsc8735u-1>li{counter-increment:lst-ctn-kix_w66ctsc8735u-1}.lst-kix_7336pfhg38rf-0>li{counter-increment:lst-ctn-kix_7336pfhg38rf-0}.lst-kix_pmivlm2h8rwq-0>li{counter-increment:lst-ctn-kix_pmivlm2h8rwq-0}.lst-kix_exl34y7adtul-1>li{counter-increment:lst-ctn-kix_exl34y7adtul-1}.lst-kix_21mujycf9tm5-7>li{counter-increment:lst-ctn-kix_21mujycf9tm5-7}ol.lst-kix_exl34y7adtul-7{list-style-type:none}ol.lst-kix_exl34y7adtul-1.start{counter-reset:lst-ctn-kix_exl34y7adtul-1 0}ol.lst-kix_exl34y7adtul-8{list-style-type:none}.lst-kix_7336pfhg38rf-5>li{counter-increment:lst-ctn-kix_7336pfhg38rf-5}.lst-kix_exl34y7adtul-1>li:before{content:"" counter(lst-ctn-kix_exl34y7adtul-1,lower-latin) ". "}ol.lst-kix_pmivlm2h8rwq-7.start{counter-reset:lst-ctn-kix_pmivlm2h8rwq-7 0}.lst-kix_exl34y7adtul-3>li:before{content:"" counter(lst-ctn-kix_exl34y7adtul-3,decimal) ". "}.lst-kix_exl34y7adtul-5>li:before{content:"" counter(lst-ctn-kix_exl34y7adtul-5,lower-roman) ". "}.lst-kix_exl34y7adtul-7>li:before{content:"" counter(lst-ctn-kix_exl34y7adtul-7,lower-latin) ". "}.lst-kix_21mujycf9tm5-6>li{counter-increment:lst-ctn-kix_21mujycf9tm5-6}.lst-kix_21mujycf9tm5-3>li:before{content:"" counter(lst-ctn-kix_21mujycf9tm5-3,decimal) ". "}.lst-kix_21mujycf9tm5-5>li:before{content:"" counter(lst-ctn-kix_21mujycf9tm5-5,lower-roman) ". "}ol.lst-kix_pmivlm2h8rwq-8.start{counter-reset:lst-ctn-kix_pmivlm2h8rwq-8 0}.lst-kix_w66ctsc8735u-6>li{counter-increment:lst-ctn-kix_w66ctsc8735u-6}.lst-kix_21mujycf9tm5-0>li{counter-increment:lst-ctn-kix_21mujycf9tm5-0}.lst-kix_w66ctsc8735u-0>li{counter-increment:lst-ctn-kix_w66ctsc8735u-0}.lst-kix_21mujycf9tm5-1>li:before{content:"" counter(lst-ctn-kix_21mujycf9tm5-1,lower-latin) ". "}.lst-kix_21mujycf9tm5-7>li:before{content:"" counter(lst-ctn-kix_21mujycf9tm5-7,lower-latin) ". "}.lst-kix_7336pfhg38rf-3>li:before{content:"" counter(lst-ctn-kix_7336pfhg38rf-3,decimal) ". "}ol.lst-kix_21mujycf9tm5-8.start{counter-reset:lst-ctn-kix_21mujycf9tm5-8 0}.lst-kix_7336pfhg38rf-5>li:before{content:"" counter(lst-ctn-kix_7336pfhg38rf-5,lower-roman) ". "}.lst-kix_s8b3u49h11dr-1>li:before{content:"- "}.lst-kix_pmivlm2h8rwq-5>li{counter-increment:lst-ctn-kix_pmivlm2h8rwq-5}ul.lst-kix_s8b3u49h11dr-8{list-style-type:none}ul.lst-kix_s8b3u49h11dr-7{list-style-type:none}ul.lst-kix_s8b3u49h11dr-4{list-style-type:none}ul.lst-kix_s8b3u49h11dr-3{list-style-type:none}ul.lst-kix_s8b3u49h11dr-6{list-style-type:none}ol.lst-kix_7336pfhg38rf-4.start{counter-reset:lst-ctn-kix_7336pfhg38rf-4 0}ul.lst-kix_s8b3u49h11dr-5{list-style-type:none}ul.lst-kix_s8b3u49h11dr-0{list-style-type:none}ul.lst-kix_s8b3u49h11dr-2{list-style-type:none}ul.lst-kix_s8b3u49h11dr-1{list-style-type:none}ol.lst-kix_exl34y7adtul-2.start{counter-reset:lst-ctn-kix_exl34y7adtul-2 0}.lst-kix_w66ctsc8735u-8>li:before{content:"" counter(lst-ctn-kix_w66ctsc8735u-8,lower-roman) ". "}ol.lst-kix_21mujycf9tm5-7.start{counter-reset:lst-ctn-kix_21mujycf9tm5-7 0}.lst-kix_w66ctsc8735u-1>li:before{content:"" counter(lst-ctn-kix_w66ctsc8735u-1,lower-latin) ". "}.lst-kix_w66ctsc8735u-2>li:before{content:"" counter(lst-ctn-kix_w66ctsc8735u-2,lower-roman) ". "}.lst-kix_w66ctsc8735u-0>li:before{content:"" counter(lst-ctn-kix_w66ctsc8735u-0,upper-latin) ". "}.lst-kix_w66ctsc8735u-4>li:before{content:"" counter(lst-ctn-kix_w66ctsc8735u-4,lower-latin) ". "}.lst-kix_w66ctsc8735u-5>li:before{content:"" counter(lst-ctn-kix_w66ctsc8735u-5,lower-roman) ". "}.lst-kix_w66ctsc8735u-6>li:before{content:"" counter(lst-ctn-kix_w66ctsc8735u-6,decimal) ". "}.lst-kix_w66ctsc8735u-7>li:before{content:"" counter(lst-ctn-kix_w66ctsc8735u-7,lower-latin) ". "}ol.lst-kix_exl34y7adtul-7.start{counter-reset:lst-ctn-kix_exl34y7adtul-7 0}ol.lst-kix_pmivlm2h8rwq-3.start{counter-reset:lst-ctn-kix_pmivlm2h8rwq-3 0}.lst-kix_t1xsxvgqx8s0-6>li:before{content:"- "}.lst-kix_pmivlm2h8rwq-3>li{counter-increment:lst-ctn-kix_pmivlm2h8rwq-3}.lst-kix_t1xsxvgqx8s0-5>li:before{content:"- "}.lst-kix_t1xsxvgqx8s0-7>li:before{content:"- "}.lst-kix_w66ctsc8735u-4>li{counter-increment:lst-ctn-kix_w66ctsc8735u-4}.lst-kix_21mujycf9tm5-1>li{counter-increment:lst-ctn-kix_21mujycf9tm5-1}.lst-kix_exl34y7adtul-7>li{counter-increment:lst-ctn-kix_exl34y7adtul-7}.lst-kix_t1xsxvgqx8s0-8>li:before{content:"- "}.lst-kix_w66ctsc8735u-3>li:before{content:"" counter(lst-ctn-kix_w66ctsc8735u-3,decimal) ". "}.lst-kix_t1xsxvgqx8s0-3>li:before{content:"- "}.lst-kix_w66ctsc8735u-8>li{counter-increment:lst-ctn-kix_w66ctsc8735u-8}.lst-kix_t1xsxvgqx8s0-4>li:before{content:"- "}ol.lst-kix_21mujycf9tm5-6.start{counter-reset:lst-ctn-kix_21mujycf9tm5-6 0}ol.lst-kix_pmivlm2h8rwq-4.start{counter-reset:lst-ctn-kix_pmivlm2h8rwq-4 0}.lst-kix_t1xsxvgqx8s0-2>li:before{content:"- "}.lst-kix_21mujycf9tm5-5>li{counter-increment:lst-ctn-kix_21mujycf9tm5-5}.lst-kix_t1xsxvgqx8s0-1>li:before{content:"- "}.lst-kix_w66ctsc8735u-2>li{counter-increment:lst-ctn-kix_w66ctsc8735u-2}.lst-kix_t1xsxvgqx8s0-0>li:before{content:"- "}.lst-kix_pmivlm2h8rwq-6>li:before{content:"" counter(lst-ctn-kix_pmivlm2h8rwq-6,decimal) ". "}.lst-kix_pmivlm2h8rwq-7>li:before{content:"" counter(lst-ctn-kix_pmivlm2h8rwq-7,lower-latin) ". "}ol.lst-kix_w66ctsc8735u-7{list-style-type:none}ol.lst-kix_w66ctsc8735u-8{list-style-type:none}ol.lst-kix_w66ctsc8735u-5{list-style-type:none}ol.lst-kix_w66ctsc8735u-6{list-style-type:none}ol.lst-kix_w66ctsc8735u-3{list-style-type:none}ol.lst-kix_w66ctsc8735u-4{list-style-type:none}ol.lst-kix_w66ctsc8735u-1{list-style-type:none}.lst-kix_exl34y7adtul-5>li{counter-increment:lst-ctn-kix_exl34y7adtul-5}.lst-kix_pmivlm2h8rwq-3>li:before{content:"" counter(lst-ctn-kix_pmivlm2h8rwq-3,decimal) ". "}ol.lst-kix_w66ctsc8735u-2{list-style-type:none}.lst-kix_pmivlm2h8rwq-1>li{counter-increment:lst-ctn-kix_pmivlm2h8rwq-1}ol.lst-kix_w66ctsc8735u-0{list-style-type:none}.lst-kix_7336pfhg38rf-7>li{counter-increment:lst-ctn-kix_7336pfhg38rf-7}.lst-kix_pmivlm2h8rwq-4>li:before{content:"" counter(lst-ctn-kix_pmivlm2h8rwq-4,lower-latin) ". "}.lst-kix_pmivlm2h8rwq-5>li:before{content:"" counter(lst-ctn-kix_pmivlm2h8rwq-5,lower-roman) ". "}.lst-kix_pmivlm2h8rwq-7>li{counter-increment:lst-ctn-kix_pmivlm2h8rwq-7}.lst-kix_pmivlm2h8rwq-8>li:before{content:"" counter(lst-ctn-kix_pmivlm2h8rwq-8,lower-roman) ". "}ol.lst-kix_pmivlm2h8rwq-2.start{counter-reset:lst-ctn-kix_pmivlm2h8rwq-2 0}.lst-kix_7336pfhg38rf-8>li:before{content:"" counter(lst-ctn-kix_7336pfhg38rf-8,lower-roman) ". "}ol.lst-kix_exl34y7adtul-6.start{counter-reset:lst-ctn-kix_exl34y7adtul-6 0}ul.lst-kix_t1xsxvgqx8s0-2{list-style-type:none}ul.lst-kix_t1xsxvgqx8s0-3{list-style-type:none}ul.lst-kix_t1xsxvgqx8s0-0{list-style-type:none}ul.lst-kix_t1xsxvgqx8s0-1{list-style-type:none}.lst-kix_7336pfhg38rf-2>li:before{content:"" counter(lst-ctn-kix_7336pfhg38rf-2,lower-roman) ". "}.lst-kix_7336pfhg38rf-2>li{counter-increment:lst-ctn-kix_7336pfhg38rf-2}.lst-kix_7336pfhg38rf-0>li:before{content:"" counter(lst-ctn-kix_7336pfhg38rf-0,decimal) ". "}.lst-kix_21mujycf9tm5-8>li{counter-increment:lst-ctn-kix_21mujycf9tm5-8}ol.lst-kix_w66ctsc8735u-5.start{counter-reset:lst-ctn-kix_w66ctsc8735u-5 0}.lst-kix_pmivlm2h8rwq-2>li:before{content:"" counter(lst-ctn-kix_pmivlm2h8rwq-2,lower-roman) ". "}.lst-kix_7336pfhg38rf-1>li{counter-increment:lst-ctn-kix_7336pfhg38rf-1}.lst-kix_pmivlm2h8rwq-0>li:before{content:"" counter(lst-ctn-kix_pmivlm2h8rwq-0,decimal) ". "}ol.lst-kix_21mujycf9tm5-3.start{counter-reset:lst-ctn-kix_21mujycf9tm5-3 0}ol.lst-kix_w66ctsc8735u-2.start{counter-reset:lst-ctn-kix_w66ctsc8735u-2 0}ol.lst-kix_7336pfhg38rf-5.start{counter-reset:lst-ctn-kix_7336pfhg38rf-5 0}ol.lst-kix_21mujycf9tm5-0.start{counter-reset:lst-ctn-kix_21mujycf9tm5-0 0}ul.lst-kix_t1xsxvgqx8s0-8{list-style-type:none}ol.lst-kix_7336pfhg38rf-0{list-style-type:none}ol.lst-kix_7336pfhg38rf-1{list-style-type:none}.lst-kix_7336pfhg38rf-3>li{counter-increment:lst-ctn-kix_7336pfhg38rf-3}ul.lst-kix_t1xsxvgqx8s0-6{list-style-type:none}ul.lst-kix_t1xsxvgqx8s0-7{list-style-type:none}ul.lst-kix_t1xsxvgqx8s0-4{list-style-type:none}ul.lst-kix_t1xsxvgqx8s0-5{list-style-type:none}ol.lst-kix_7336pfhg38rf-6{list-style-type:none}ol.lst-kix_7336pfhg38rf-7{list-style-type:none}ol.lst-kix_7336pfhg38rf-8{list-style-type:none}ol.lst-kix_7336pfhg38rf-2{list-style-type:none}ol.lst-kix_7336pfhg38rf-3{list-style-type:none}ol.lst-kix_7336pfhg38rf-4{list-style-type:none}ol.lst-kix_7336pfhg38rf-5{list-style-type:none}ol.lst-kix_w66ctsc8735u-3.start{counter-reset:lst-ctn-kix_w66ctsc8735u-3 0}.lst-kix_exl34y7adtul-0>li:before{content:"" counter(lst-ctn-kix_exl34y7adtul-0,decimal) ". "}.lst-kix_exl34y7adtul-3>li{counter-increment:lst-ctn-kix_exl34y7adtul-3}.lst-kix_pmivlm2h8rwq-8>li{counter-increment:lst-ctn-kix_pmivlm2h8rwq-8}.lst-kix_exl34y7adtul-2>li:before{content:"" counter(lst-ctn-kix_exl34y7adtul-2,lower-roman) ". "}.lst-kix_exl34y7adtul-4>li:before{content:"" counter(lst-ctn-kix_exl34y7adtul-4,lower-latin) ". "}ol.lst-kix_21mujycf9tm5-2.start{counter-reset:lst-ctn-kix_21mujycf9tm5-2 0}ul.lst-kix_cm1sbgja1sfy-1{list-style-type:none}ul.lst-kix_cm1sbgja1sfy-0{list-style-type:none}ul.lst-kix_cm1sbgja1sfy-3{list-style-type:none}.lst-kix_exl34y7adtul-6>li:before{content:"" counter(lst-ctn-kix_exl34y7adtul-6,decimal) ". "}.lst-kix_exl34y7adtul-8>li:before{content:"" counter(lst-ctn-kix_exl34y7adtul-8,lower-roman) ". "}ul.lst-kix_cm1sbgja1sfy-2{list-style-type:none}ol.lst-kix_exl34y7adtul-8.start{counter-reset:lst-ctn-kix_exl34y7adtul-8 0}ol.lst-kix_7336pfhg38rf-2.start{counter-reset:lst-ctn-kix_7336pfhg38rf-2 0}.lst-kix_pmivlm2h8rwq-2>li{counter-increment:lst-ctn-kix_pmivlm2h8rwq-2}ol.lst-kix_pmivlm2h8rwq-1.start{counter-reset:lst-ctn-kix_pmivlm2h8rwq-1 0}.lst-kix_21mujycf9tm5-4>li:before{content:"" counter(lst-ctn-kix_21mujycf9tm5-4,lower-latin) ". "}.lst-kix_21mujycf9tm5-3>li{counter-increment:lst-ctn-kix_21mujycf9tm5-3}.lst-kix_21mujycf9tm5-2>li:before{content:"" counter(lst-ctn-kix_21mujycf9tm5-2,lower-roman) ". "}.lst-kix_21mujycf9tm5-6>li:before{content:"" counter(lst-ctn-kix_21mujycf9tm5-6,decimal) ". "}.lst-kix_21mujycf9tm5-0>li:before{content:"" counter(lst-ctn-kix_21mujycf9tm5-0,decimal) ". "}.lst-kix_21mujycf9tm5-8>li:before{content:"" counter(lst-ctn-kix_21mujycf9tm5-8,lower-roman) ". "}ul.lst-kix_cm1sbgja1sfy-8{list-style-type:none}ol.lst-kix_21mujycf9tm5-1.start{counter-reset:lst-ctn-kix_21mujycf9tm5-1 0}ul.lst-kix_cm1sbgja1sfy-5{list-style-type:none}ul.lst-kix_cm1sbgja1sfy-4{list-style-type:none}li.li-bullet-0:before{margin-left:-18pt;white-space:nowrap;display:inline-block;min-width:18pt}ul.lst-kix_cm1sbgja1sfy-7{list-style-type:none}.lst-kix_w66ctsc8735u-3>li{counter-increment:lst-ctn-kix_w66ctsc8735u-3}ul.lst-kix_cm1sbgja1sfy-6{list-style-type:none}ol.lst-kix_7336pfhg38rf-3.start{counter-reset:lst-ctn-kix_7336pfhg38rf-3 0}ol.lst-kix_w66ctsc8735u-4.start{counter-reset:lst-ctn-kix_w66ctsc8735u-4 0}.lst-kix_7336pfhg38rf-4>li:before{content:"" counter(lst-ctn-kix_7336pfhg38rf-4,lower-latin) ". "}.lst-kix_s8b3u49h11dr-0>li:before{content:"- "}.lst-kix_s8b3u49h11dr-2>li:before{content:"- "}.lst-kix_7336pfhg38rf-6>li:before{content:"" counter(lst-ctn-kix_7336pfhg38rf-6,decimal) ". "}ol{margin:0;padding:0}table td,table th{padding:0}.LtslleXhTC-c30{border-right-style:solid;padding:5pt 5pt 5pt 5pt;border-bottom-color:#e0e0e0;border-top-width:1pt;border-right-width:1pt;border-left-color:#e0e0e0;vertical-align:top;border-right-color:#e0e0e0;border-left-width:1pt;border-top-style:solid;border-left-style:solid;border-bottom-width:1pt;width:468pt;border-top-color:#e0e0e0;border-bottom-style:solid}.LtslleXhTC-c6{color:#9c27b0;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:10pt;font-family:Consolas,"Courier New";font-style:normal}.LtslleXhTC-c39{padding-top:18pt;padding-bottom:6pt;line-height:1.5;page-break-after:avoid;text-align:left}.LtslleXhTC-c15{padding-top:16pt;padding-bottom:4pt;line-height:1.5;page-break-after:avoid;text-align:left}.LtslleXhTC-c41{padding-top:0pt;padding-bottom:16pt;line-height:1.5;page-break-after:avoid;text-align:left}.LtslleXhTC-c40{padding-top:0pt;padding-bottom:0pt;line-height:1.5;text-align:justify}.LtslleXhTC-c23{text-decoration-skip-ink:none;-webkit-text-decoration-skip:none;color:#1155cc;text-decoration:underline}.LtslleXhTC-c5{font-size:10pt;font-family:Consolas,"Courier New";color:#ff00ff;font-weight:700}.LtslleXhTC-c49{text-decoration:none;vertical-align:baseline;font-size:10pt;font-style:italic}.LtslleXhTC-c51{padding-top:0pt;padding-bottom:3pt;line-height:1.5;text-align:left}.LtslleXhTC-c9{padding-top:0pt;padding-bottom:0pt;line-height:1.0;text-align:left}.LtslleXhTC-c2{padding-top:0pt;padding-bottom:0pt;line-height:1.5;text-align:left}.LtslleXhTC-c46{padding-top:18pt;padding-bottom:6pt;line-height:1.38;text-align:left}.LtslleXhTC-c8{border-spacing:0;border-collapse:collapse;margin-right:auto}.LtslleXhTC-c25{padding-top:0pt;padding-bottom:10pt;line-height:1.5;text-align:left}.LtslleXhTC-c4{font-size:10pt;font-family:Consolas,"Courier New";color:#000000;font-weight:400}.LtslleXhTC-c1{font-size:10pt;font-family:Consolas,"Courier New";color:#616161;font-weight:400}.LtslleXhTC-c34{background-color:#ffffff;max-width:468pt;padding:72pt 72pt 72pt 72pt}.LtslleXhTC-c37{background-color:#ffffff;margin-left:72pt;padding-left:0pt}.LtslleXhTC-c32{font-size:10pt;font-family:"Roboto Mono";font-weight:400}.LtslleXhTC-c12{text-decoration:none;vertical-align:baseline;font-style:normal}.LtslleXhTC-c50{text-decoration:none;vertical-align:baseline;font-style:italic}.LtslleXhTC-c10{font-size:10pt;font-family:Consolas,"Courier New";font-weight:400}.LtslleXhTC-c11{orphans:2;widows:2}.LtslleXhTC-c0{font-weight:400;font-family:"Google Sans"}.LtslleXhTC-c29{font-weight:700;font-family:"Google Sans"}.LtslleXhTC-c52{font-weight:400;font-family:"Roboto Mono"}.LtslleXhTC-c42{color:#666666;font-size:15pt}.LtslleXhTC-c45{font-family:Consolas,"Courier New";font-weight:400}.LtslleXhTC-c14{padding:0;margin:0}.LtslleXhTC-c20{font-weight:400;font-family:"Arial"}.LtslleXhTC-c24{color:#000000;font-size:16pt}.LtslleXhTC-c27{color:#000000;font-size:9pt}.LtslleXhTC-c22{margin-left:36pt;padding-left:0pt}.LtslleXhTC-c16{color:#000000;font-size:11pt}.LtslleXhTC-c19{color:inherit;text-decoration:inherit}.LtslleXhTC-c33{color:#434343;font-size:14pt}.LtslleXhTC-c31{border:1px solid black;margin:5px}.LtslleXhTC-c7{height:11pt}.LtslleXhTC-c26{background-color:#fafafa}.LtslleXhTC-c36{vertical-align:super}.LtslleXhTC-c48{text-indent:36pt}.LtslleXhTC-c18{color:#9c27b0}.LtslleXhTC-c47{color:#ff00ff}.LtslleXhTC-c43{page-break-after:avoid}.LtslleXhTC-c3{height:0pt}.LtslleXhTC-c21{color:#0d904f}.LtslleXhTC-c44{background-color:#ffffff}.LtslleXhTC-c53{font-size:26pt}.LtslleXhTC-c13{color:#c53929}.LtslleXhTC-c38{color:#3367d6}.LtslleXhTC-c35{color:#000000}.LtslleXhTC-c17{color:#455a64}.LtslleXhTC-c28{color:#0f9d58}.title{padding-top:0pt;color:#000000;font-size:26pt;padding-bottom:3pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}.subtitle{padding-top:0pt;color:#666666;font-size:15pt;padding-bottom:16pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}li{color:#000000;font-size:11pt;font-family:"Arial"}p{margin:0;color:#000000;font-size:11pt;font-family:"Arial"}h1{padding-top:20pt;color:#000000;font-size:20pt;padding-bottom:6pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h2{padding-top:18pt;color:#000000;font-size:16pt;padding-bottom:6pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h3{padding-top:16pt;color:#434343;font-size:14pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h4{padding-top:0pt;color:#000000;font-size:9pt;padding-bottom:0pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h5{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h6{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;font-style:italic;orphans:2;widows:2;text-align:left}</style></head><body class="c34 doc-content"> By Mark Brand, Project Zero<h2 class="LtslleXhTC-c46 LtslleXhTC-c11 LtslleXhTC-c44" id="h.19gkwk801574">Background</h2> In 2018, in the <a class="LtslleXhTC-c191" href="https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/arm-a-profile-architecture-2018-developments-armv85a">v8.5a version</a> of the ARM architecture, ARM proposed a hardware implementation of tagged memory, referred to as MTE (Memory Tagging Extensions). Through mid-2022 and early 2023, Project Zero had access to pre-production hardware implementing this instruction set extension to evaluate the security properties of the implementation. In particular, we're interested in whether it's possible to use this instruction set extension to implement effective security mitigations, or whether its use is limited to debugging/fault detection purposes. As of the v8.5a specification, MTE can operate in two distinct modes, which are switched between on a per-thread basis. The first mode is sync-MTE, where tag-check failure on a memory access will cause the instruction performing the access to deliver a fault at retirement. The second mode is async-MTE, where tag-check failure does not directly (at the architectural level) cause a fault. Instead, tag-check failure will cause the setting of a per-core flag, which can then be polled from the kernel context to detect when an invalid access has occurred. This blog post documents the tests that we have performed so far, and the conclusions that we've drawn from them, <a class="LtslleXhTC-c191" href="https://github.com/googleprojectzero/p0tools/tree/master/MTETest">together with the code necessary to repeat these tests</a>. This testing was intended to explore both the details of the hardware implementation of MTE, and the current state of the software support for MTE in the Linux kernel. All of the testing is based on manually implemented tagging in statically-linked standalone binaries, so it should be easy to reproduce these results on any compatible hardware.<h2 class="LtslleXhTC-c11 LtslleXhTC-c44 LtslleXhTC-c46" id="h.1m65rx5mwd6b">Terminology</h2> When designing and implementing security features, it's important to be conscious of the specific protection goal. In order to provide clarity in the rest of this post, we'll define some specific terminology that we use when talking about this: <ol class="c14 lst-kix_pmivlm2h8rwq-0 start" start="1"><li style="margin-left: 46pt;" class="c2 c11 c22 c44 li-bullet-0">Mitigation - A mitigation is something that reduces real exploitability of a vulnerability or class of vulnerability. The expectation is that attackers can (and eventually will) find their way around it. Examples would be DEP, ASLR, CFI.</li></ol><ol class="c14 lst-kix_pmivlm2h8rwq-1 start" start="1"><li style="margin-left: 46pt;" class="c2 c11 c37 li-bullet-0">"Soft" Mitigation - We consider a mitigation to be "soft" if the expectation is that an attacker pays a one-time cost in order to bypass the mitigation. Typically this would be a per-target cost, for example developing a ROP chain to bypass DEP, which can usually be largely re-used between different exploits for the same target software.</li><li style="margin-left: 46pt;" class="c2 c37 c11 li-bullet-0">"Hard" Mitigation - We consider a mitigation to be "hard" if the expectation is that an attacker cannot develop a bypass technique which is reusable between different vulnerabilities (without, e.g. incorporating an additional vulnerability). An example would be ASLR, which is typically bypassed either by the use of a separate information leak vulnerability, or by developing an information leak primitive using the same vulnerability. </li></ol> Note that the context can have an impact on the "hardness" of a mitigation -         if a codebase is particularly rich in code-patterns which allow the construction of information leaks, it's quite possible that an attacker can develop a reliable, reusable technique for turning various memory corruption primitives into an information leak within that codebase.<ol class="c14 lst-kix_pmivlm2h8rwq-0" start="2"><li style="margin-left: 46pt;" class="c2 c11 c22 c44 li-bullet-0">Solution - a solution is something that eliminates exploitability of a vulnerability or class of vulnerability. The expectation is that the only way for an attacker to bypass a solution would be an unintended implementation weakness in the solution. </li></ol> For example (based purely on a theoretical implementation of memory tagging):  - Randomly-allocating tags to heap allocations cannot be considered a solution for any class of heap-related memory corruption, since this provides at best probabilistic protection.  - Allocating odd and even tags to adjacent heap allocations might theoretically be able to provide a solution for linear heap-buffer overflows.<h2 class="LtslleXhTC-c39 LtslleXhTC-c11" id="h.6sk8fz7gzezd">Hardware Implementation</h2> The main hardware implementation question we had was, does a speculative side-channel exist that would allow leaking whether or not a tag-check has succeeded, without needing to architecturally execute the tag-check? It is expected that Spectre-type speculative execution side-channels will still allow an attacker to leak pointer values from memory, indirectly leaking the tags. Here we consider whether the implementation introduces additional speculative side-channels that would allow an attacker to more efficiently leak tag-check success/failure. TL; DR; In our testing we did not identify an additional<a class="LtslleXhTC-c19" href="#h.d43f6ia2nolp">1</a> speculative side-channel that would allow such an attack to be performed.<h3 class="LtslleXhTC-c15 LtslleXhTC-c11" id="h.e13yfykv7x9c">1. Does MTE block Spectre? (NO)</h3> The only way that MTE could prevent exploitation of Spectre-type weaknesses would be to have speculative execution stall the pipeline until the tag-check completes<a class="LtslleXhTC-c19" href="#h.8v9sdwwdtqt">2</a>. This might sound desirable ("prevent exploitation of Spectre-type weaknesses") but it's not - this would create a much stronger side-channel to allow an attacker to create an oracle for tag-check success, weakening the overall security properties of the MTE implementation. This is easy to test. If we can still leak data out of speculative execution using Spectre when the pointer used for the speculative access has an incorrect tag, then this is not the case. We wrote a <a class="LtslleXhTC-c191" href="https://github.com/googleprojectzero/p0tools/blob/master/MTETest/0001-Add-MTE-spectre-test.patch">small patch</a> to the <a class="LtslleXhTC-c191" href="https://github.com/google/safeside">safeside</a> demo spectre_v1_pht_sa that demonstrates this:<a id="t.0814a55e2d7066eec1c776f4e5cc266c3993aa3f"></a><a id="t.0"></a><table class="LtslleXhTC-c8"><tr class="LtslleXhTC-c3"><td class="LtslleXhTC-c30 LtslleXhTC-c26" colspan="1" rowspan="1"> mte_device:/data/local/tmp $ ./spectre_v1_pht_sa_mte Leaking the string: 1t's a s3kr3t!!! Done! Checking that we would crash during architectural access: Segmentation fault </td></tr></table><h3 class="LtslleXhTC-c15 LtslleXhTC-c11" id="h.w0yvst1srjvi">2. Does tag-check success/failure have a measurable impact on the speculation window length? (Probably NOT)</h3> There is a deeper question that we'd like to understand: is the length of speculative execution after a memory access influenced by whether the tag-check for that access succeeds or fails? If this was the case, then we might be able to build a more complex speculative side-channel that we could use in a similar way. In order to measure this, we need to force a mis-speculation, and then perform a read access to memory for which a tag-check would either succeed or fail, and then we need to use a speculative side-channel to measure how many further instructions were successfully speculatively executed. We wrote and tested a self-contained harness to measure this, which can be found in speculation_window.c This harness works by generating code for a test function with a variable number of no-op instructions at runtime, and then repeatedly executing this test function in a loop to train the branch-predictor before finally triggering mis-speculation. The test function is as follows: <a id="t.d26d48d2ecf391a13cfd9854526cfa9fc9c4578d"></a><a id="t.1"></a><table class="LtslleXhTC-c8"><tr class="LtslleXhTC-c3"><td class="LtslleXhTC-c30 LtslleXhTC-c26" colspan="1" rowspan="1">   ldr  x0, [x0]         ; this load is slow (*x0 is uncached)   cbnz x0, speculation: ; this branch is always taken during warmup   ret speculation:   ldr  x1, [x1]         ; this load is fast (*x1 is cached)                         ; the tag-check success or fail will happen on                         ; this access, but during warmup the tag-check                         ; will always be a success.   orr  x2, x2, x1       ; this is a no-op (as x1 is always 0) but it   ... n times ...       ; maintains a data dependency between the   orr  x2, x2, x1       ; loads (and the no-ops), hopefully preventing                         ; too much re-ordering.   ldr  x2, [x2]         ; *x2 is uncached, if it is cached later then                         ; this instruction was (probably) executed.   ret</td></tr></table> In this way we can measure the number of no-ops that we can insert before the final load no longer executes (ie. the result from the first load is received and we realise that we've mispredicted the branch so we flush the pipeline before the final load is executed). In order to reduce bias due to branch-predictor behaviour, the test program is run separately for the tag-check success and tag-check failure case, and the control-flow being run is identical in both cases. In order to reduce bias due to cpu power-management/throttling behaviour, each time the test program is run, it collects a single set of samples and then exits. We then run this program repeatedly, and by interleaving the runs for tag-check success and tag-check fail we look to reduce this influence on the results. In addition, the cores are down-clocked to the lowest supported frequency using the standard linux cpu scaling interface, which should reduce the impact of cpu throttling to a minimum. Most modern mobile devices also have non-homogenous core designs, with for example a 4+4, 2+2+4 or 1+3+4 core design. Since the device under test is no exception, the program needs to pin itself to a specific core and we need to run these tests for each core design separately. Reading from the virtual timer is extremely slow (relative to memory access instructions), and this results in noisy data when attempting to measure single-cache-hit/single-cache-miss. In a normal real-world environment, a shared-memory timer is often a better approach to timing with this level of granularity, and that's an approach that we've used previously with success. In this case, since we want to get data for each core, it was difficult to get consistency across all cores, and we had better results using an amplification approach performing accesses to multiple cache-lines. However, this approach adds more complexity to the measuring code, and more possibilities for smart prefetching or similar to interfere with our measurements. Since we are trying to test the properties of the hardware, rather than develop a practical attack that needs to run in a timely fashion, we decided to minimise these risks and instead collect enough data that we'd be able to see the patterns through the noise. The first graphs below show this data for a region of the x-axis (nop-count) on each core around where the speculation window ends (so the x-axis is anchored differently for each core), and on the y-axis we plot the observed probability that our measurement results in a cache-miss. Two separate lines are plotted in each graph; one in red for the "tag-check-fail" case and one in green for the "tag-check-pass" case. We can't really see the green line at all - the two lines overlap so closely as to be indistinguishable. <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMHoNMKuGPvlidYVL_BUOhGiFYegcPW4BPK5erQcRBgrGaGbM4UPEfThNtiYN-EB7c0jBdMcBr8OXGebX3tuEHd581P-6YuQTQAXvu3bt_6ZZn3UpN15InQCZNpu7J6tJKpIQvmIAWXWwg4fnRu5JrrkAfZVwn61YfloEdgHjXNbdC5DX05Z1L_fRx/s1276/image1.png" style="display: block; padding: 1em 0;text-align: center;"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMHoNMKuGPvlidYVL_BUOhGiFYegcPW4BPK5erQcRBgrGaGbM4UPEfThNtiYN-EB7c0jBdMcBr8OXGebX3tuEHd581P-6YuQTQAXvu3bt_6ZZn3UpN15InQCZNpu7J6tJKpIQvmIAWXWwg4fnRu5JrrkAfZVwn61YfloEdgHjXNbdC5DX05Z1L_fRx/s1200/image1.png" style="max-height: 750px; max-width: 600px;" title="" /></a> If we really zoom in on measurements from the "Biggest" core, we can see the two lines deviating due to the noise: <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUe4nRuLhn9eG70q6MjBk1ZwThOqtjvk8Ow4K3fd1w5AfjQ2Z3QaP1o0kgfh0X_689apmG5iIm_1yUcnhPJCkBIqtNSNe7TbE8sxB41xNSn915W3owlslLWX1H2afxZSO2-yIzXHCZzEmUEZil-1RnXBTudraaQmID46k6XrrW21jFlkSZh0n7ZJhv/s1284/image3.png" style="display: block; padding: 1em 0;text-align: center;"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUe4nRuLhn9eG70q6MjBk1ZwThOqtjvk8Ow4K3fd1w5AfjQ2Z3QaP1o0kgfh0X_689apmG5iIm_1yUcnhPJCkBIqtNSNe7TbE8sxB41xNSn915W3owlslLWX1H2afxZSO2-yIzXHCZzEmUEZil-1RnXBTudraaQmID46k6XrrW21jFlkSZh0n7ZJhv/s1200/image3.png" style="max-height: 750px; max-width: 600px;" title="" /></a> Another interesting point is to notice that the graph we have for the biggest core tops out at a probability of ~30%; this is (probably) not because we're hitting the cache, but instead that the timer read is slow that we can't use it to reliably differentiate between cache misses and cache hits most of the time. If we look at a graph of raw latency measurements, we can see this: <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhREEhNQOZ1zMw1afJqw2dsduh3hce6p_qTmY4hFpKYvwp0dFNph4vj3sj9xOv5Fpx7--neSHRNUI30C7UAe0GuJwSDXN5vYOlGRiPgnrWMj9c1KJ9fOpNmKLTFMK54aOQjzWeV2iPtMeFfGUTG94yKS6W5sfPvNUeVOPDObnodsQKZtLMK6Onc_3tB/s1276/image2.png" style="display: block; padding: 1em 0;text-align: center;"><img alt="" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhREEhNQOZ1zMw1afJqw2dsduh3hce6p_qTmY4hFpKYvwp0dFNph4vj3sj9xOv5Fpx7--neSHRNUI30C7UAe0GuJwSDXN5vYOlGRiPgnrWMj9c1KJ9fOpNmKLTFMK54aOQjzWeV2iPtMeFfGUTG94yKS6W5sfPvNUeVOPDObnodsQKZtLMK6Onc_3tB/s1200/image2.png" style="max-height: 750px; max-width: 600px;" title="" /></a> The important thing is that there's no significant difference between the results for the failure and success cases, which suggests that there's no clear speculative side-channel that would allow an attacker to build a side-channel tag-check oracle directly.<h2 class="LtslleXhTC-c39 LtslleXhTC-c11" id="h.tum68qy04i7z">Software Implementation</h2> There are several ways that we identified that the current software implementation around the use of MTE could lead to bypasses if MTE were used as a security mitigation. As described below, Issues <a class="LtslleXhTC-c19" href="#h.mom86f64gsnm">1</a> and <a class="LtslleXhTC-c19" href="#h.5lefjf6v19hr">2</a> are quirks of the current implementation that it may or may not be possible to address with kernel changes. They are both of limited scope and only apply to very specific conditions, so they likely don't have a particularly significant impact on the applicability of MTE as a security mitigation (although they have some implications for the coverage of such a mitigation.) Issue <a class="LtslleXhTC-c19" href="#h.slz47uww66dv">3</a> is a detail of the current implementation of Breakpad, and serves to highlight a particular class of weakness that will require careful audit of signal handling code in any application that wishes to use MTE as a security mitigation. Issue <a class="LtslleXhTC-c19" href="#h.quhrhy4chqpx">4</a> is a fundamental weakness that likely cannot be effectively addressed. We would not characterize this as meaning that MTE could not be applied as a security mitigation, but rather a limitation on the claims that one could make about the effectiveness of such a mitigation. To be more specific, both issues <a class="LtslleXhTC-c19" href="#h.slz47uww66dv">3</a> and <a class="LtslleXhTC-c19" href="#h.quhrhy4chqpx">4</a> are bound by some fairly significant limitations, which would have varying impact on exploitability of memory corruption issues depending on the specific context in which the issue occurs. See below for more discussion on this topic. TL;DR; In our testing we identified some areas for improvement on the software side, and demonstrated that it is possible to use the narrow "exploitation window" to avoid the side-effects of tag-check failures under some circumstances, meaning that any mitigation based on async MTE is likely limited to a "soft mitigation" regardless of tagging strategy.<h3 class="LtslleXhTC-c15 LtslleXhTC-c11" id="h.mom86f64gsnm">1. Handling of system call arguments [ASYNC]</h3> There's a <a class="LtslleXhTC-c191" href="https://elixir.bootlin.com/linux/v5.18.9/source/Documentation/arm64/memory-tagging-extension.rst#L111">documented limitation</a> of the current handling of the async MTE check mode in the linux kernel, which is that the kernel does not catch invalid accesses to userspace pointers. This means that kernel-space accesses to incorrectly tagged user-space pointers during a system call will not be detected. There are likely good technical reasons for this limitation, but we plan to investigate improving this coverage in the future. We provide a sample that demonstrates this limitation, <a class="LtslleXhTC-c191" href="https://github.com/googleprojectzero/p0tools/blob/master/MTETest/software_issue_1.c">software_issue_1.c</a>. <a id="t.8f0fdf111fc851ee54c5d3d0667b7c8ebd951dde"></a><a id="t.2"></a><table class="LtslleXhTC-c8"><tr class="LtslleXhTC-c3"><td class="LtslleXhTC-c30 LtslleXhTC-c26" colspan="1" rowspan="1"> mte_enable(false, DEFAULT_TAG_MASK); uint64_t* ptr = mmap(NULL, 0x1000,   PROT_READ|PROT_WRITE|PROT_MTE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); uint64_t* tagged_ptr = mte_tag_and_zero(ptr, 0x1000); memset(tagged_ptr, 0x23, 0x1000); int fd = open("/dev/urandom", O_RDONLY); fprintf(stderr, "%p %p\n", ptr, tagged_ptr); read(fd, ptr, 0x1000); assert(*tagged_ptr == 0x2323232323232323ull);</td></tr></table> <a id="t.e04c823cc84070116900a5dd009a203c24fa85be"></a><a id="t.3"></a><table class="LtslleXhTC-c8"><tr class="LtslleXhTC-c3"><td class="LtslleXhTC-c26 LtslleXhTC-c30" colspan="1" rowspan="1"> taro:/ $ /data/local/tmp/software_issue_1                                                                                                                   0x7722c5d000 0x800007722c5d000 software_issue_1: ./software_issue_1.c:46: int main(int, char **): Assertion `*tagged_ptr == 0x2323232323232323ull' failed.</td></tr></table><h3 class="LtslleXhTC-c11 LtslleXhTC-c15" id="h.5lefjf6v19hr">2. Handling of system call arguments [SYNC]</h3> The way that the sync MTE check mode is currently implemented in the linux kernel means that kernel-space accesses to incorrectly tagged user-space pointers result in the system call returning EFAULT. While this is probably the cleanest and simplest approach, and is consistent with current kernel behaviour especially when it comes to handling results for partial operations, this has the potential to lead to bypasses/oracles in some circumstances. We plan to investigate replacing this behaviour with SIGSEGV delivery instead (specifically for MTE tag check failures). The provided sample, <a class="LtslleXhTC-c191" href="https://github.com/googleprojectzero/p0tools/blob/master/MTETest/software_issue_2.c">software_issue_2.c</a> is a very simple demonstration of this situation. <a id="t.deed3115c9498a2adb11f5e5ca63e5b59c56cddf"></a><a id="t.4"></a><table class="LtslleXhTC-c8"><tr class="LtslleXhTC-c3"><td class="LtslleXhTC-c30 LtslleXhTC-c26" colspan="1" rowspan="1"> size_t readn(int fd, void* ptr, size_t len) {   char* start_ptr = ptr;   char* read_ptr = ptr;   while (read_ptr < start_ptr + len) {     ssize_t result = read(fd, read_ptr, start_ptr + len - read_ptr);     if (result <= 0) {       return read_ptr - start_ptr;     } else {       read_ptr += result;     }   }   return len; } int main(int argc, char** argv) {   int pipefd[2];   mte_enable(true, DEFAULT_TAG_MASK);   uint64_t* ptr = mmap(NULL, 0x1000,     PROT_READ|PROT_WRITE|PROT_MTE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);   ptr = mte_tag(ptr, 0x10);   strcpy(ptr, "AAAAAAAAAAAAAAA");   assert(!pipe(pipefd));   write(pipefd[1], "BBBBBBBBBBBBBBB", 0x10);   // In sync MTE mode, kernel MTE tag-check failures cause system calls to fail   // with EFAULT rather than triggering a SIGSEGV. Existing code doesn't   // generally expect to receive EFAULT, and is very unlikely to handle it as a   // critical error.   uint64_t* new_ptr = ptr;   while (!strcmp(new_ptr, "AAAAAAAAAAAAAAA")) {     // Simulate a use-after-free, where new_ptr is repeatedly free'd and ptr     // is accessed after the free via a syscall.     new_ptr = mte_tag(new_ptr, 0x10);     strcpy(new_ptr, "AAAAAAAAAAAAAAA");     size_t bytes_read = readn(pipefd[0], ptr, 0x10);     fprintf(stderr, "read %zu bytes\nnew_ptr string is %s\n", bytes_read, new_ptr);   } }</td></tr></table> <a id="t.7df0f3089a2e25f6a8fee0ff6724bf10c0a3026b"></a><a id="t.5"></a><table class="LtslleXhTC-c8"><tr class="LtslleXhTC-c3"><td class="LtslleXhTC-c30 LtslleXhTC-c26" colspan="1" rowspan="1"> taro:/ $ /data/local/tmp/software_issue_2                                                                                                           read 0 bytes new_ptr string is AAAAAAAAAAAAAAA read 0 bytes new_ptr string is AAAAAAAAAAAAAAA read 0 bytes new_ptr string is AAAAAAAAAAAAAAA read 0 bytes new_ptr string is AAAAAAAAAAAAAAA read 0 bytes new_ptr string is AAAAAAAAAAAAAAA read 0 bytes new_ptr string is AAAAAAAAAAAAAAA read 0 bytes new_ptr string is AAAAAAAAAAAAAAA read 16 bytes new_ptr string is BBBBBBBBBBBBBBB</td></tr></table><h3 class="LtslleXhTC-c15 LtslleXhTC-c11" id="h.slz47uww66dv">3. New dangers in signal handlers [ASYNC].</h3> Since SIGSEGV is a catchable signal, any signal handlers that can handle SIGSEGV become a critical attack surface for async MTE bypasses. <a class="LtslleXhTC-c191" href="https://www.google.com/url?q=https://www.chromium.org/developers/crash-reports/&sa=D&source=docs&ust=1661952947380022&usg=AOvVaw3HyXTOsL3B1fRSnMg9GdO3">Breakpad</a><a class="LtslleXhTC-c191" href="https://www.google.com/url?q=https://www.chromium.org/developers/crash-reports/&sa=D&source=docs&ust=1661952947380022&usg=AOvVaw3HyXTOsL3B1fRSnMg9GdO3">/Crashpad</a> at present have a signal handler (ie, installed in all Chrome processes) which allows a trivial same-thread bypass for async MTE as a security protection, which is demonstrated in async_bypass_signal_handler.c / async_bypass_signal_handler.js. The concept is simple - if we can corrupt any state that would result in the signal handler concluding that a SIGSEGV coming from a tag-check failure is handled/safe, then we can effectively disable MTE for the process. If we look at the current <a class="LtslleXhTC-c191" href="https://source.chromium.org/chromium/chromium/src/+/main:third_party/breakpad/breakpad/src/client/linux/handler/exception_handler.cc;l=328">breakpad signal handler</a> (the crashpad signal handler has <a class="LtslleXhTC-c191" href="https://source.chromium.org/chromium/chromium/src/+/main:third_party/crashpad/crashpad/client/crashpad_client_linux.cc;drc=db6f1567b8caa6dacdd0d46b2a7ac60c5b5ddc82;l=201">the same design</a>): <a id="t.e3ef59fa9395aadf7e4cd9a21e5ddb5a620a10a1"></a><a id="t.6"></a><table class="LtslleXhTC-c8"><tr class="LtslleXhTC-c3"><td class="LtslleXhTC-c30 LtslleXhTC-c26" colspan="1" rowspan="1"> void ExceptionHandler::SignalHandler(int sig, siginfo_t* info, void* uc) {   // Give the first chance handler a chance to recover from this signal   //   // This is primarily used by V8. V8 uses guard regions to guarantee memory   // safety in WebAssembly. This means some signals might be expected if they   // originate from Wasm code while accessing the guard region. We give V8 the   // chance to handle and recover from these signals first.   if (g_first_chance_handler_ != nullptr &&       g_first_chance_handler_(sig, info, uc)) {     return;   }</td></tr></table> It's clear that if our exploit could patch g_first_chance_handler_ to point to any function that will return a non-zero value, then this will mean that tag-check failures are no longer caught. The example we've provided in <a class="LtslleXhTC-c191" href="https://github.com/googleprojectzero/p0tools/blob/master/MTETest/async_signal_handler_bypass.c">async_signal_handler_bypass.c</a> and <a class="LtslleXhTC-c191" href="https://github.com/googleprojectzero/p0tools/blob/master/MTETest/async_signal_handler_bypass.js">async_signal_handler_bypass.js</a> demonstrates an exploit using this technique against a simulated bug in the <a class="LtslleXhTC-c191" href="https://duktape.org/">duktape javascript interpreter</a>. <a id="t.3f0b748a4c9d28f1917b769bb80a1218715293fb"></a><a id="t.7"></a><table class="LtslleXhTC-c8"><tr class="LtslleXhTC-c3"><td class="LtslleXhTC-c30 LtslleXhTC-c26" colspan="1" rowspan="1"> taro:/data/local/tmp $./async_bypass_signal_handler ./async_bypass_signal_handler.js                                                                       offsets: 0x26c068 0x36bc80 starting script execution access segv handler 11 Async MTE has been bypassed [0.075927734375ms] done</td></tr></table> It seems hard to imagine designing a signal handler that will be robust against all possible attacks here, as most data that is accessed by the signal handler will now need to be treated as untrusted. It's our understanding that Android is considering making changes to the way that the kernel handles these failures to guarantee delivery of these errors to an out-of-process handler, preventing this kind of bypass.<h3 class="LtslleXhTC-c15 LtslleXhTC-c11" id="h.quhrhy4chqpx">4. Generic bypass in multi-threaded environments [ASYNC].</h3> Since async MTE failures are only delivered when the thread which caused the error enters the kernel, there's a slightly more involved (but more generic) bypass available in multi-threaded environments. If we can coerce another thread into performing our next exploit steps for us, then we can bypass the protection this way. The example we've provided in <a class="LtslleXhTC-c191" href="https://github.com/googleprojectzero/p0tools/blob/master/MTETest/async_thread_bypass.c">async_thread_bypass.c</a> and <a class="LtslleXhTC-c191" href="https://github.com/googleprojectzero/p0tools/blob/master/MTETest/async_thread_bypass.js">async_thread_bypass.js</a> demonstrates an exploit using this technique against a simulated bug in the duktape javascript interpreter. <a id="t.85a34c05a807396d0d2e0b36db36cbe0daa772f2"></a><a id="t.8"></a><table class="LtslleXhTC-c8"><tr class="LtslleXhTC-c3"><td class="LtslleXhTC-c30 LtslleXhTC-c26" colspan="1" rowspan="1"> taro:/data/local/tmp $ ./async_bypass_thread ./async_bypass_thread.js                                                                                       thread is running Async MTE bypassed!</td></tr></table> Note that in practice, the technique here would most likely be to have the coerced thread simply install a new signal handler to effectively reimplement 3. above, but the example invokes a shell command as a demonstration.<h2 class="LtslleXhTC-c11 LtslleXhTC-c39" id="h.soyoaib239d2">How wide are these windows?</h2> So, we've identified two methods by which a compromised thread might avoid the consequences of performing invalid accesses. This was a known and expected limitation of async-MTE-as-a-security-mitigation — but how significant is this? In the existing (linux) kernel implementation, an outstanding async-MTE failure is delivered as a SIGSEGV when the thread that performed the faulting access transitions to kernel mode. This means that the user-to-kernel transition can be thought of as a synchronisation barrier for tag-check failures. This leads us to our first rule for async-MTE-safe exploitation:<ol class="c14 lst-kix_21mujycf9tm5-0 start" start="1"><li style="margin-left: 46pt;" class="c2 c11 c22 li-bullet-0">We need to complete our exploit (or disable async-MTE) without needing to make a system call from the faulting thread.</li></ol> This will already pose a significant limitation in some contexts - for example, many network services will have a `read/write` loop in between commands, so this would mean that the exploit must be completed within the execution of a single command. However, for many other contexts, this is less of an issue - a vulnerability in a complex file format parser, decompression algorithm or scripting engine will likely provide sufficient control between system calls to complete an exploit (as demonstrated above with the duktape javascript engine). There is then a second requirement that the exploit-writer needs to bear in mind, which is the periodic timer interrupt. In the kernel configuration tested, this was set to `CONFIG_HZ_250`, so we can expect a timer interrupt every 4ms, leading us to our second rule<a class="LtslleXhTC-c19" href="#h.vc7otbihpy9e">3</a>:<ol class="c14 lst-kix_21mujycf9tm5-0" start="2"><li style="margin-left: 46pt;" class="c2 c11 c22 li-bullet-0">We need to complete our exploit in  ~0.2 ms if we want to get acceptable (95%<a class="LtslleXhTC-c19" href="#h.uu3o4hva4l1j">4</a>) reliability. (+0.01ms exploit runtime => -0.25% reliability)</li></ol> <a class="LtslleXhTC-c191" href="https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-2-mitigation.html">Part 2</a> continues with a higher-level analysis of the effectiveness of various different MTE configurations in a variety of user-space application contexts, and what type of impact we'd expect to see on attacker cost. <h4 class="LtslleXhTC-c2 LtslleXhTC-c11 LtslleXhTC-c43" id="h.d43f6ia2nolp">[1] It is known/expected that Spectre-type attacks are possible to leak pointer values from memory.</h4><h4 class="LtslleXhTC-c2 LtslleXhTC-c11 LtslleXhTC-c43" id="h.8v9sdwwdtqt">[2] ARM indicated that this should not be the case (this potential weakness was raised with them early in the MTE design process). </h4><h4 class="LtslleXhTC-c2 LtslleXhTC-c11 LtslleXhTC-c43" id="h.vc7otbihpy9e">[3] This assumes that the attacker can't construct a side-channel allowing them to determine when a timer interrupt has happened in the target process, which seems like a reasonable assumption in a remote media-parsing scenario, but less so in the context of a local privilege elevation.</h4><h4 class="LtslleXhTC-c9 LtslleXhTC-c11 LtslleXhTC-c43" id="h.uu3o4hva4l1j">[4] 95% is a rough estimate - <a class="LtslleXhTC-c191" href="https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-2-mitigation.html">part 2</a> discusses the reasoning here in more detail; but note that we would consider this a rough reference point for what attackers will likely work towards, and not a hard limit.</h4> <div style='clear: both;'></div> </div> <div class='post-footer'> <div class='post-footer-line post-footer-line-1'> Posted by <meta content='https://www.blogger.com/profile/08975904405228580347' itemprop='url'/> <a class='g-profile' href='https://www.blogger.com/profile/08975904405228580347' rel='author' title='author profile'> Google Project Zero </a> at <meta content='https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-1.html' itemprop='url'/> <a class='timestamp-link' href='https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-1.html' rel='bookmark' title='permanent link'><abbr class='published' itemprop='datePublished' title='2023-08-02T09:30:00-07:00'>9:30 AM</abbr></a> <a class='comment-link' href='https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-1.html#comment-form' onclick=''> No comments: </a> <a href='https://www.blogger.com/post-edit.g?blogID=4838136820032157985&postID=1349463988498930341&from=pencil' title='Edit Post'> <img alt='' class='icon-action' height='18' src='https://resources.blogblog.com/img/icon18_edit_allbkg.gif' width='18'/> </a> <div class='post-share-buttons goog-inline-block'> <a class='goog-inline-block share-button sb-email' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1349463988498930341&target=email' target='_blank' title='Email This'>Email This</a><a class='goog-inline-block share-button sb-blog' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1349463988498930341&target=blog' onclick='window.open(this.href, "_blank", "height=270,width=475"); return false;' target='_blank' title='BlogThis!'>BlogThis!</a><a class='goog-inline-block share-button sb-twitter' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1349463988498930341&target=twitter' target='_blank' title='Share to X'>Share to X</a><a class='goog-inline-block share-button sb-facebook' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1349463988498930341&target=facebook' onclick='window.open(this.href, "_blank", "height=430,width=640"); return false;' target='_blank' title='Share to Facebook'>Share to Facebook</a><a class='goog-inline-block share-button sb-pinterest' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1349463988498930341&target=pinterest' target='_blank' title='Share to Pinterest'>Share to Pinterest</a> </div> </div> <div class='post-footer-line post-footer-line-2'> </div> <div class='post-footer-line post-footer-line-3'> </div> </div> </div> </div> <div class='post-outer'> <div class='post hentry uncustomized-post-template' itemprop='blogPost' itemscope='itemscope' itemtype='http://schema.org/BlogPosting'> <meta content='4838136820032157985' itemprop='blogId'/> <meta content='1284641313067735090' itemprop='postId'/> <a name='1284641313067735090'></a> <h3 class='post-title entry-title' itemprop='name'> <a href='https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-3-kernel.html'>MTE As Implemented, Part 3: The Kernel</a> </h3> <div class='post-header'> <div class='post-header-line-1'></div> </div> <div class='post-body entry-content' id='post-body-1284641313067735090' itemprop='description articleBody'> <style type="text/css">@import url(https://themes.googleusercontent.com/fonts/css?kit=4mNYFHt_IKFsPe52toizH6nwuZUPj2AFYBEz-aMyENVctA_KpTDBIb9wIwVqFCm-);.lst-kix_46kwnuz47r-3>li{counter-increment:lst-ctn-kix_46kwnuz47r-3}ol.lst-kix_46kwnuz47r-1.start{counter-reset:lst-ctn-kix_46kwnuz47r-1 0}.lst-kix_8lngbvh6wilc-4>li{counter-increment:lst-ctn-kix_8lngbvh6wilc-4}ol.lst-kix_46kwnuz47r-0{list-style-type:none}ol.lst-kix_46kwnuz47r-2{list-style-type:none}.lst-kix_46kwnuz47r-2>li{counter-increment:lst-ctn-kix_46kwnuz47r-2}.lst-kix_8lngbvh6wilc-5>li{counter-increment:lst-ctn-kix_8lngbvh6wilc-5}ol.lst-kix_cp4qttrp12lb-6.start{counter-reset:lst-ctn-kix_cp4qttrp12lb-6 0}ol.lst-kix_46kwnuz47r-1{list-style-type:none}ol.lst-kix_46kwnuz47r-4{list-style-type:none}ol.lst-kix_46kwnuz47r-3{list-style-type:none}ol.lst-kix_8lngbvh6wilc-8.start{counter-reset:lst-ctn-kix_8lngbvh6wilc-8 0}.lst-kix_cp4qttrp12lb-5>li{counter-increment:lst-ctn-kix_cp4qttrp12lb-5}ol.lst-kix_46kwnuz47r-6{list-style-type:none}ol.lst-kix_46kwnuz47r-5{list-style-type:none}ol.lst-kix_46kwnuz47r-8{list-style-type:none}ol.lst-kix_46kwnuz47r-7{list-style-type:none}ol.lst-kix_cp4qttrp12lb-3.start{counter-reset:lst-ctn-kix_cp4qttrp12lb-3 0}ol.lst-kix_46kwnuz47r-4.start{counter-reset:lst-ctn-kix_46kwnuz47r-4 0}.lst-kix_8lngbvh6wilc-3>li{counter-increment:lst-ctn-kix_8lngbvh6wilc-3}.lst-kix_cp4qttrp12lb-6>li{counter-increment:lst-ctn-kix_cp4qttrp12lb-6}.lst-kix_8lngbvh6wilc-6>li{counter-increment:lst-ctn-kix_8lngbvh6wilc-6}.lst-kix_4xvzm1t3t8ep-0>li:before{content:"- "}.lst-kix_46kwnuz47r-4>li{counter-increment:lst-ctn-kix_46kwnuz47r-4}.lst-kix_46kwnuz47r-1>li{counter-increment:lst-ctn-kix_46kwnuz47r-1}ol.lst-kix_cp4qttrp12lb-0.start{counter-reset:lst-ctn-kix_cp4qttrp12lb-0 0}ol.lst-kix_8lngbvh6wilc-0.start{counter-reset:lst-ctn-kix_8lngbvh6wilc-0 0}.lst-kix_cp4qttrp12lb-3>li{counter-increment:lst-ctn-kix_cp4qttrp12lb-3}.lst-kix_4xvzm1t3t8ep-6>li:before{content:"- "}.lst-kix_4xvzm1t3t8ep-5>li:before{content:"- "}.lst-kix_4xvzm1t3t8ep-4>li:before{content:"- "}.lst-kix_4xvzm1t3t8ep-1>li:before{content:"- "}.lst-kix_4xvzm1t3t8ep-3>li:before{content:"- "}.lst-kix_4xvzm1t3t8ep-2>li:before{content:"- "}ol.lst-kix_cp4qttrp12lb-0{list-style-type:none}ol.lst-kix_cp4qttrp12lb-1{list-style-type:none}.lst-kix_8lngbvh6wilc-0>li:before{content:"" counter(lst-ctn-kix_8lngbvh6wilc-0,decimal) ". "}ol.lst-kix_cp4qttrp12lb-2{list-style-type:none}ol.lst-kix_cp4qttrp12lb-3{list-style-type:none}.lst-kix_46kwnuz47r-6>li{counter-increment:lst-ctn-kix_46kwnuz47r-6}.lst-kix_8lngbvh6wilc-1>li:before{content:"" counter(lst-ctn-kix_8lngbvh6wilc-1,lower-latin) ". "}ol.lst-kix_cp4qttrp12lb-4{list-style-type:none}ol.lst-kix_8lngbvh6wilc-6.start{counter-reset:lst-ctn-kix_8lngbvh6wilc-6 0}ol.lst-kix_cp4qttrp12lb-5{list-style-type:none}ol.lst-kix_cp4qttrp12lb-6{list-style-type:none}ol.lst-kix_cp4qttrp12lb-8.start{counter-reset:lst-ctn-kix_cp4qttrp12lb-8 0}ol.lst-kix_cp4qttrp12lb-7{list-style-type:none}.lst-kix_8lngbvh6wilc-7>li{counter-increment:lst-ctn-kix_8lngbvh6wilc-7}ol.lst-kix_cp4qttrp12lb-1.start{counter-reset:lst-ctn-kix_cp4qttrp12lb-1 0}.lst-kix_8lngbvh6wilc-7>li:before{content:"" counter(lst-ctn-kix_8lngbvh6wilc-7,lower-latin) ". "}.lst-kix_8lngbvh6wilc-6>li:before{content:"" counter(lst-ctn-kix_8lngbvh6wilc-6,decimal) ". "}ul.lst-kix_4xvzm1t3t8ep-8{list-style-type:none}.lst-kix_4xvzm1t3t8ep-7>li:before{content:"- "}ul.lst-kix_4xvzm1t3t8ep-7{list-style-type:none}.lst-kix_8lngbvh6wilc-1>li{counter-increment:lst-ctn-kix_8lngbvh6wilc-1}.lst-kix_8lngbvh6wilc-5>li:before{content:"" counter(lst-ctn-kix_8lngbvh6wilc-5,lower-roman) ". "}.lst-kix_4xvzm1t3t8ep-8>li:before{content:"- "}.lst-kix_8lngbvh6wilc-3>li:before{content:"" counter(lst-ctn-kix_8lngbvh6wilc-3,decimal) ". "}.lst-kix_8lngbvh6wilc-2>li:before{content:"" counter(lst-ctn-kix_8lngbvh6wilc-2,lower-roman) ". "}.lst-kix_8lngbvh6wilc-4>li:before{content:"" counter(lst-ctn-kix_8lngbvh6wilc-4,lower-latin) ". "}ol.lst-kix_cp4qttrp12lb-2.start{counter-reset:lst-ctn-kix_cp4qttrp12lb-2 0}.lst-kix_46kwnuz47r-6>li:before{content:"" counter(lst-ctn-kix_46kwnuz47r-6,decimal) ". "}.lst-kix_46kwnuz47r-7>li:before{content:"" counter(lst-ctn-kix_46kwnuz47r-7,lower-latin) ". "}.lst-kix_46kwnuz47r-8>li:before{content:"" counter(lst-ctn-kix_46kwnuz47r-8,lower-roman) ". "}ol.lst-kix_8lngbvh6wilc-5.start{counter-reset:lst-ctn-kix_8lngbvh6wilc-5 0}.lst-kix_8lngbvh6wilc-8>li:before{content:"" counter(lst-ctn-kix_8lngbvh6wilc-8,lower-roman) ". "}.lst-kix_cp4qttrp12lb-1>li{counter-increment:lst-ctn-kix_cp4qttrp12lb-1}ol.lst-kix_cp4qttrp12lb-8{list-style-type:none}ol.lst-kix_46kwnuz47r-3.start{counter-reset:lst-ctn-kix_46kwnuz47r-3 0}.lst-kix_cp4qttrp12lb-4>li{counter-increment:lst-ctn-kix_cp4qttrp12lb-4}.lst-kix_46kwnuz47r-0>li{counter-increment:lst-ctn-kix_46kwnuz47r-0}.lst-kix_cp4qttrp12lb-7>li{counter-increment:lst-ctn-kix_cp4qttrp12lb-7}ol.lst-kix_46kwnuz47r-8.start{counter-reset:lst-ctn-kix_46kwnuz47r-8 0}ol.lst-kix_8lngbvh6wilc-1.start{counter-reset:lst-ctn-kix_8lngbvh6wilc-1 0}ol.lst-kix_8lngbvh6wilc-4.start{counter-reset:lst-ctn-kix_8lngbvh6wilc-4 0}.lst-kix_46kwnuz47r-8>li{counter-increment:lst-ctn-kix_46kwnuz47r-8}.lst-kix_46kwnuz47r-5>li:before{content:"(" counter(lst-ctn-kix_46kwnuz47r-5,lower-roman) ") "}.lst-kix_46kwnuz47r-4>li:before{content:"(" counter(lst-ctn-kix_46kwnuz47r-4,lower-latin) ") "}.lst-kix_46kwnuz47r-2>li:before{content:"" counter(lst-ctn-kix_46kwnuz47r-2,lower-roman) ") "}.lst-kix_cp4qttrp12lb-0>li{counter-increment:lst-ctn-kix_cp4qttrp12lb-0}.lst-kix_46kwnuz47r-1>li:before{content:"" counter(lst-ctn-kix_46kwnuz47r-1,lower-latin) ") "}.lst-kix_46kwnuz47r-3>li:before{content:"(" counter(lst-ctn-kix_46kwnuz47r-3,decimal) ") "}ol.lst-kix_46kwnuz47r-2.start{counter-reset:lst-ctn-kix_46kwnuz47r-2 0}ul.lst-kix_4xvzm1t3t8ep-2{list-style-type:none}ol.lst-kix_cp4qttrp12lb-4.start{counter-reset:lst-ctn-kix_cp4qttrp12lb-4 0}ul.lst-kix_4xvzm1t3t8ep-1{list-style-type:none}.lst-kix_46kwnuz47r-7>li{counter-increment:lst-ctn-kix_46kwnuz47r-7}ul.lst-kix_4xvzm1t3t8ep-0{list-style-type:none}.lst-kix_46kwnuz47r-0>li:before{content:"" counter(lst-ctn-kix_46kwnuz47r-0,decimal) ") "}ul.lst-kix_4xvzm1t3t8ep-6{list-style-type:none}ul.lst-kix_4xvzm1t3t8ep-5{list-style-type:none}ul.lst-kix_4xvzm1t3t8ep-4{list-style-type:none}ul.lst-kix_4xvzm1t3t8ep-3{list-style-type:none}ol.lst-kix_46kwnuz47r-5.start{counter-reset:lst-ctn-kix_46kwnuz47r-5 0}ol.lst-kix_8lngbvh6wilc-7.start{counter-reset:lst-ctn-kix_8lngbvh6wilc-7 0}.lst-kix_8lngbvh6wilc-0>li{counter-increment:lst-ctn-kix_8lngbvh6wilc-0}ol.lst-kix_cp4qttrp12lb-7.start{counter-reset:lst-ctn-kix_cp4qttrp12lb-7 0}ol.lst-kix_46kwnuz47r-6.start{counter-reset:lst-ctn-kix_46kwnuz47r-6 0}ol.lst-kix_cp4qttrp12lb-5.start{counter-reset:lst-ctn-kix_cp4qttrp12lb-5 0}.lst-kix_46kwnuz47r-5>li{counter-increment:lst-ctn-kix_46kwnuz47r-5}ol.lst-kix_8lngbvh6wilc-3.start{counter-reset:lst-ctn-kix_8lngbvh6wilc-3 0}.lst-kix_cp4qttrp12lb-8>li{counter-increment:lst-ctn-kix_cp4qttrp12lb-8}.lst-kix_8lngbvh6wilc-2>li{counter-increment:lst-ctn-kix_8lngbvh6wilc-2}.lst-kix_cp4qttrp12lb-2>li{counter-increment:lst-ctn-kix_cp4qttrp12lb-2}.lst-kix_8lngbvh6wilc-8>li{counter-increment:lst-ctn-kix_8lngbvh6wilc-8}.lst-kix_cp4qttrp12lb-4>li:before{content:"(" counter(lst-ctn-kix_cp4qttrp12lb-4,lower-latin) ") "}.lst-kix_cp4qttrp12lb-5>li:before{content:"(" counter(lst-ctn-kix_cp4qttrp12lb-5,lower-roman) ") "}ol.lst-kix_46kwnuz47r-7.start{counter-reset:lst-ctn-kix_46kwnuz47r-7 0}.lst-kix_cp4qttrp12lb-0>li:before{content:"" counter(lst-ctn-kix_cp4qttrp12lb-0,decimal) ") "}.lst-kix_cp4qttrp12lb-8>li:before{content:"" counter(lst-ctn-kix_cp4qttrp12lb-8,lower-roman) ". "}.lst-kix_cp4qttrp12lb-6>li:before{content:"" counter(lst-ctn-kix_cp4qttrp12lb-6,decimal) ". "}.lst-kix_cp4qttrp12lb-7>li:before{content:"" counter(lst-ctn-kix_cp4qttrp12lb-7,lower-latin) ". "}li.li-bullet-0:before{margin-left:-18pt;white-space:nowrap;display:inline-block;min-width:18pt}ol.lst-kix_8lngbvh6wilc-0{list-style-type:none}ol.lst-kix_8lngbvh6wilc-1{list-style-type:none}ol.lst-kix_8lngbvh6wilc-2.start{counter-reset:lst-ctn-kix_8lngbvh6wilc-2 0}ol.lst-kix_8lngbvh6wilc-2{list-style-type:none}ol.lst-kix_8lngbvh6wilc-3{list-style-type:none}ol.lst-kix_8lngbvh6wilc-4{list-style-type:none}ol.lst-kix_8lngbvh6wilc-5{list-style-type:none}ol.lst-kix_8lngbvh6wilc-6{list-style-type:none}ol.lst-kix_8lngbvh6wilc-7{list-style-type:none}ol.lst-kix_46kwnuz47r-0.start{counter-reset:lst-ctn-kix_46kwnuz47r-0 0}ol.lst-kix_8lngbvh6wilc-8{list-style-type:none}.lst-kix_cp4qttrp12lb-1>li:before{content:"" counter(lst-ctn-kix_cp4qttrp12lb-1,lower-latin) ") "}.lst-kix_cp4qttrp12lb-2>li:before{content:"" counter(lst-ctn-kix_cp4qttrp12lb-2,lower-roman) ") "}.lst-kix_cp4qttrp12lb-3>li:before{content:"(" counter(lst-ctn-kix_cp4qttrp12lb-3,decimal) ") "}ol{margin:0;padding:0}table td,table th{padding:0}.RwZZBLiumt-c10{margin-left:36pt;padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left;height:11pt}.RwZZBLiumt-c4{margin-left:36pt;padding-top:0pt;padding-left:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left}.RwZZBLiumt-c16{color:#666666;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:15pt;font-family:"Arial";font-style:normal}.RwZZBLiumt-c0{color:#000000;font-weight:700;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Google Sans";font-style:italic}.RwZZBLiumt-c23{background-color:#ffffff;padding-top:18pt;padding-bottom:6pt;line-height:1.38;orphans:2;widows:2;text-align:left}.RwZZBLiumt-c5{padding-top:0pt;padding-bottom:16pt;line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}.RwZZBLiumt-c7{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:10pt;font-family:"Google Sans";font-style:normal}.RwZZBLiumt-c2{color:#000000;font-weight:400;text-decoration:none;vertical-align:baseline;font-size:11pt;font-family:"Google Sans";font-style:italic}.RwZZBLiumt-c15{padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:justify}.RwZZBLiumt-c31{padding-top:0pt;padding-bottom:3pt;line-height:1.5;orphans:2;widows:2;text-align:left}.RwZZBLiumt-c13{padding-top:0pt;padding-bottom:0pt;line-height:1.5;orphans:2;widows:2;text-align:left}.RwZZBLiumt-c26{-webkit-text-decoration-skip:none;color:#1155cc;font-weight:400;text-decoration:underline;text-decoration-skip-ink:none;font-family:Consolas,"Courier New"}.RwZZBLiumt-c3{-webkit-text-decoration-skip:none;color:#1155cc;font-weight:400;text-decoration:underline;text-decoration-skip-ink:none;font-family:"Google Sans"}.RwZZBLiumt-c27{color:#000000;text-decoration:none;vertical-align:baseline;font-size:26pt;font-style:normal}.RwZZBLiumt-c25{color:#000000;text-decoration:none;vertical-align:baseline;font-size:13pt;font-style:normal}.RwZZBLiumt-c29{color:#000000;text-decoration:none;vertical-align:baseline;font-size:8pt;font-style:normal}.RwZZBLiumt-c12{color:#000000;text-decoration:none;vertical-align:baseline;font-size:11pt;font-style:normal}.RwZZBLiumt-c20{padding-top:0pt;padding-bottom:0pt;line-height:1.0;text-align:left}.RwZZBLiumt-c14{background-color:#ffffff;max-width:468pt;padding:72pt 72pt 72pt 72pt}.RwZZBLiumt-c1{font-family:Consolas,"Courier New";color:#0d904f;font-weight:400}.RwZZBLiumt-c9{font-family:"Google Sans";font-style:italic;font-weight:700}.RwZZBLiumt-c17{font-weight:400;font-family:"Arial"}.RwZZBLiumt-c18{font-weight:700;font-family:"Google Sans"}.RwZZBLiumt-c6{color:inherit;text-decoration:inherit}.RwZZBLiumt-c11{border:1px solid black;margin:5px}.RwZZBLiumt-c19{padding:0;margin:0}.RwZZBLiumt-c8{font-weight:400;font-family:"Google Sans"}.RwZZBLiumt-c28{vertical-align:super}.RwZZBLiumt-c22{font-size:9pt}.RwZZBLiumt-c30{page-break-after:avoid}.RwZZBLiumt-c21{height:11pt}.RwZZBLiumt-c24{font-style:italic}.title{padding-top:0pt;color:#000000;font-size:26pt;padding-bottom:3pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}.subtitle{padding-top:0pt;color:#666666;font-size:15pt;padding-bottom:16pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}li{color:#000000;font-size:11pt;font-family:"Arial"}p{margin:0;color:#000000;font-size:11pt;font-family:"Arial"}h1{padding-top:20pt;color:#000000;font-size:20pt;padding-bottom:6pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h2{padding-top:18pt;color:#000000;font-size:16pt;padding-bottom:6pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h3{padding-top:0pt;color:#000000;font-size:8pt;padding-bottom:0pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h4{padding-top:14pt;color:#666666;font-size:12pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h5{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;orphans:2;widows:2;text-align:left}h6{padding-top:12pt;color:#666666;font-size:11pt;padding-bottom:4pt;font-family:"Arial";line-height:1.5;page-break-after:avoid;font-style:italic;orphans:2;widows:2;text-align:left}</style></head><body class="c14 doc-content"> By Mark Brand, Project Zero<h2 class="RwZZBLiumt-c23" id="h.mhon2p3h4smq">Background</h2> In 2018, in the <a class="RwZZBLiumt-c61" href="https://community.arm.com/arm-community-blogs/b/architectures-and-processors-blog/posts/arm-a-profile-architecture-2018-developments-armv85a">v8.5a version</a> of the ARM architecture, ARM proposed a hardware implementation of tagged memory, referred to as MTE (Memory Tagging Extensions). In <a class="RwZZBLiumt-c61" href="https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-1.html">Part 1</a> we discussed testing the technical (and implementation) limitations of MTE on the hardware that we've had access to. In <a class="RwZZBLiumt-c61" href="https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-2-mitigation.html">Part 2</a> we discussed the implications of this for mitigations built using MTE in various user-mode contexts. This post will now consider the implications of what we know on the effectiveness of MTE-based mitigations in the kernel context. To recap - there are two key classes of bypass techniques for memory-tagging based mitigations, and these are the following:<ol class="c19 lst-kix_46kwnuz47r-0 start" start="1"><li style="margin-left: 46pt;" class="c4 li-bullet-0">Known-tag-bypasses - In general, confidentiality of tag values is key to the effectiveness of memory-tagging as a mitigation. A breach of tag confidentiality allows the attacker to directly or indirectly ensure that their invalid memory accesses will be correctly tagged, and therefore not detectable.</li><li style="margin-left: 46pt;" class="c4 li-bullet-0">Unknown-tag-bypasses - Implementation limits might mean that there are opportunities for an attacker to still exploit a vulnerability despite performing memory accesses with incorrect tags that could be detected.</li></ol> There are two main modes for MTE enforcement: <ol class="c19 lst-kix_cp4qttrp12lb-0 start" start="1"><li style="margin-left: 46pt;" class="c4 li-bullet-0">Synchronous (sync-MTE) - tag check failures result in a hardware fault on instruction retirement. This means that the results of invalid reads and the effects of invalid writes should not be architecturally observable.</li><li style="margin-left: 46pt;" class="c4 li-bullet-0">Asynchronous (async-MTE) - tag check failures do not directly result in a fault. The results of invalid reads and the effects of invalid writes are architecturally observable, and the failure is delivered at some point after the faulting instruction in the form of a per-cpu flag. </li></ol> Since Spectre, it has been clear that using standard memory-tagging approaches as a "hard probabilistic mitigation"<a class="RwZZBLiumt-c6" href="#h.gafo0jvm2gnw">1</a> is not generally possible - in any context where an attacker can construct a speculative side-channel, known-tag-bypasses are a fundamental weakness that must be accounted for.<h2 class="RwZZBLiumt-c23" id="h.a463b3pclyoa">Kernel-specific problems</h2> There are a number of additional factors which make robust mitigation design using MTE more problematic in the kernel context. From a stability perspective, it might be considered problematic to enforce a panic on kernel-tag-check-failure detection - we believe that this would be essential for any mitigation based on async (or asymmetric) MTE modes. Here are some problems that we think will be difficult to address systematically: <ol class="c19 lst-kix_8lngbvh6wilc-0 start" start="1"><li style="margin-left: 46pt;" class="c4 li-bullet-0">Similar to the Chrome renderer scenario discussed in <a class="RwZZBLiumt-c61" href="https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-2-mitigation.html">Part 2</a>, we expect there to be continued problems in guaranteeing confidentiality of kernel memory in the presence of CPU speculative side-channels. This fundamentally limits the effectiveness of an MTE-based mitigation in the kernel against a local attacker, making known-tag-bypasses highly likely. </li><li style="margin-left: 46pt;" class="c4 li-bullet-0"><a class="RwZZBLiumt-c61" href="https://developer.arm.com/documentation/ddi0595/2021-06/AArch64-Registers/TCR-EL1--Translation-Control-Register--EL1-?lang=en#fieldset_0-58_58-1">TCR_ELx.TCMA1</a> is required in the current kernel implementation. This means that any pointer with the tag 0b1111 can be dereferenced without enforcing tag checks. This is necessary for various reasons - there are many places in the kernel where, for example, we need to produce a dereferenceable pointer from a physical address, or an offset in a struct page. This makes it possible for an attacker to reliably forge pointers to any address, which is a significant advantage during exploitation. </li><li style="margin-left: 46pt;" class="c4 li-bullet-0"> [ASYNC-only] Direct access to the Tag Fault Status Register TFSR_EL1 is likely necessary. If so, the kernel is capable of clearing the tag-check-failure flags for itself, this is a weakness that will likely form part of the simplest unknown-tag-bypass exploits. This weakness does not exist in user-space, as it is necessary to transition into kernel-mode to clear the tag-check-failure bits, and the transition into kernel-mode should detect the async tag-check-failure and dispatch an error appropriately. </li><li style="margin-left: 46pt;" class="c4 li-bullet-0">DMA - typically multiple devices on the system have DMA access to various areas of physical memory, and in the cases of complex devices such as GPUs or hardware accelerators, this includes dynamically mapping parts of normal user space or kernel space memory. This can pose multiple problems - any code that sets up device mappings is already critical to security, but this is also potentially of use to an attacker in constructing powerful primitives (after the "first invalid access"). </li><li style="margin-left: 46pt;" class="c4 li-bullet-0">DMA from non-MTE enabled cores on the system - we've already seen in-the-wild attackers start to use coprocessor vulnerabilities to <a class="RwZZBLiumt-c61" href="https://googleprojectzero.blogspot.com/2022/06/curious-case-carrier-app.html">bypass kernel mitigations</a>, and if those coprocessors have a lower level of general software mitigations in place we can expect to see this continue. This alone isn't a reason not to use MTE in kernels - it's just something that we should bear in mind, especially when considering the security implications of moving additional code to coprocessors.</li></ol> Additionally, there are problems that limit coverage (due to current implementation details in the linux kernel): <ol class="c19 lst-kix_8lngbvh6wilc-0" start="6"><li style="margin-left: 46pt;" class="c4 li-bullet-0">The kcmp syscall is problematic for confidentiality of kernel pointers, as it allows user-space to compare two struct file* pointers for equality. Other system calls have similar implementation details that allow user-space to leak information about equality of kernel pointers (<a class="RwZZBLiumt-c61" href="https://elixir.bootlin.com/linux/latest/source/fs/fuse/file.c#L377">fuse_lock_owner_id</a>). </li><li style="margin-left: 46pt;" class="c4 li-bullet-0">Similarly to the above issue, several kernel data structures use pointers as keys, which has also been used to leak information about kernel pointers to user-space. (See <a class="RwZZBLiumt-c61" href="https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memory.html">here</a>, search for epoll_fdinfo). This is an issue for user-space use of MTE as well, especially in the context of eg. a browser renderer process, but highlighting here that there are known instances of this pattern in the linux kernel that have already been used publicly.</li></ol> <ol class="c19 lst-kix_8lngbvh6wilc-0" start="8"><li style="margin-left: 46pt;" class="c4 li-bullet-0">TYPESAFE_BY_RCU regions require/allow use-after-free access by design, so allocations in these regions could not currently be protected by memory-tagging. (See <a class="RwZZBLiumt-c61" href="https://lore.kernel.org/linux-mm/CACT4Y+ZHoQ5ZPfsvaiQMXrrTxv9-LgP+v_o5Ah2gFBwqQjv-+g@mail.gmail.com/">this thread</a> for some discussion). </li><li style="margin-left: 46pt;" class="c4 li-bullet-0">In addition to skipping specific tag-check-failures (as per 3 in the list above), it may also be currently possible for an attacker to disable kasan using a single memory write. This would also be a single point of failure that would need to be avoided.</li></ol> <h3 class="RwZZBLiumt-c13 RwZZBLiumt-c30" id="h.gafo0jvm2gnw">[1] A hard mitigation that does not provide deterministic protection, but which can be universally bypassed by the attacker "winning" a probabilistic condition, in the case of MTE (with 4 tag bits available, likely with one value reserved) this would probably imply a 1/15 chance of success.</h3> <div style='clear: both;'></div> </div> <div class='post-footer'> <div class='post-footer-line post-footer-line-1'> Posted by <meta content='https://www.blogger.com/profile/08975904405228580347' itemprop='url'/> <a class='g-profile' href='https://www.blogger.com/profile/08975904405228580347' rel='author' title='author profile'> Google Project Zero </a> at <meta content='https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-3-kernel.html' itemprop='url'/> <a class='timestamp-link' href='https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-3-kernel.html' rel='bookmark' title='permanent link'><abbr class='published' itemprop='datePublished' title='2023-08-02T09:30:00-07:00'>9:30 AM</abbr></a> <a class='comment-link' href='https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-3-kernel.html#comment-form' onclick=''> No comments: </a> <a href='https://www.blogger.com/post-edit.g?blogID=4838136820032157985&postID=1284641313067735090&from=pencil' title='Edit Post'> <img alt='' class='icon-action' height='18' src='https://resources.blogblog.com/img/icon18_edit_allbkg.gif' width='18'/> </a> <div class='post-share-buttons goog-inline-block'> <a class='goog-inline-block share-button sb-email' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1284641313067735090&target=email' target='_blank' title='Email This'>Email This</a><a class='goog-inline-block share-button sb-blog' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1284641313067735090&target=blog' onclick='window.open(this.href, "_blank", "height=270,width=475"); return false;' target='_blank' title='BlogThis!'>BlogThis!</a><a class='goog-inline-block share-button sb-twitter' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1284641313067735090&target=twitter' target='_blank' title='Share to X'>Share to X</a><a class='goog-inline-block share-button sb-facebook' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1284641313067735090&target=facebook' onclick='window.open(this.href, "_blank", "height=430,width=640"); return false;' target='_blank' title='Share to Facebook'>Share to Facebook</a><a class='goog-inline-block share-button sb-pinterest' href='https://www.blogger.com/share-post.g?blogID=4838136820032157985&postID=1284641313067735090&target=pinterest' target='_blank' title='Share to Pinterest'>Share to Pinterest</a> </div> </div> <div class='post-footer-line post-footer-line-2'> </div> <div class='post-footer-line post-footer-line-3'> </div> </div> </div> </div> </div></div> </div> <div class='blog-pager' id='blog-pager'> <a class='blog-pager-newer-link' href='https://googleprojectzero.blogspot.com/search?updated-max=2023-10-13T03:47:00-07:00&max-results=1&reverse-paginate=true' id='Blog1_blog-pager-newer-link' title='Newer Posts'>Newer Posts</a> <a class='blog-pager-older-link' href='https://googleprojectzero.blogspot.com/search?updated-max=2023-08-02T09:30:00-07:00&max-results=1' id='Blog1_blog-pager-older-link' title='Older Posts'>Older Posts</a> <a class='home-link' href='https://googleprojectzero.blogspot.com/'>Home</a> </div> <div class='clear'></div> <div class='blog-feeds'> <div class='feed-links'> Subscribe to: <a class='feed-link' href='https://googleprojectzero.blogspot.com/feeds/posts/default' target='_blank' type='application/atom+xml'>Posts (Atom)</a> </div> </div> </div></div> </div> </div> <div class='column-left-outer'> <div class='column-left-inner'> <aside> </aside> </div> </div> <div class='column-right-outer'> <div class='column-right-inner'> <aside> <div class='sidebar section' id='sidebar-right-1'><div class='widget BlogSearch' data-version='1' id='BlogSearch1'> <h2 class='title'>Search This Blog</h2> <div class='widget-content'> <div id='BlogSearch1_form'> <form action='https://googleprojectzero.blogspot.com/search' class='gsc-search-box' target='_top'> <table cellpadding='0' cellspacing='0' class='gsc-search-box'> <tbody> <tr> <td class='gsc-input'> <input autocomplete='off' class='gsc-input' name='q' size='10' title='search' type='text' value=''/> </td> <td class='gsc-search-button'> <input class='gsc-search-button' title='search' type='submit' value='Search'/> </td> </tr> </tbody> </table> </form> </div> </div> <div class='clear'></div> </div><div class='widget PageList' data-version='1' id='PageList1'> <h2>Pages</h2> <div class='widget-content'> <ul> <li> <a href='https://googleprojectzero.blogspot.com/p/about-project-zero.html'>About Project Zero</a> </li> <li> <a href='https://googleprojectzero.blogspot.com/p/working-at-project-zero.html'>Working at Project Zero</a> </li> <li> <a href='https://googleprojectzero.blogspot.com/p/0day.html'>0day "In the Wild"</a> </li> <li> <a href='https://googleprojectzero.github.io/0days-in-the-wild/rca.html'>0day Exploit Root Cause Analyses</a> </li> <li> <a href='https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html'>Vulnerability Disclosure FAQ</a> </li> </ul> <div class='clear'></div> </div> </div><div class='widget BlogArchive' data-version='1' id='BlogArchive1'> <h2>Archives</h2> <div class='widget-content'> <div id='ArchiveList'> <div id='BlogArchive1_ArchiveList'> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/'> 2024 </a> (9) <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/11/'> November </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/10/'> October </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/06/'> June </a> (3) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2024/04/'> April </a> (2) </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate expanded'> <a class='toggle' href='javascript:void(0)'> ▼  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/'> 2023 </a> (11) <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/11/'> November </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/10/'> October </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/09/'> September </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate expanded'> <a class='toggle' href='javascript:void(0)'> ▼  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/08/'> August </a> (4) <ul class='posts'> <li><a href='https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-1.html'>MTE As Implemented, Part 1: Implementation Testing</a></li> <li><a href='https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-3-kernel.html'>MTE As Implemented, Part 3: The Kernel</a></li> <li><a href='https://googleprojectzero.blogspot.com/2023/08/mte-as-implemented-part-2-mitigation.html'>MTE As Implemented, Part 2: Mitigation Case Studies</a></li> <li><a href='https://googleprojectzero.blogspot.com/2023/08/summary-mte-as-implemented.html'>Summary: MTE As Implemented</a></li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/04/'> April </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/03/'> March </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2023/01/'> January </a> (2) </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/'> 2022 </a> (17) <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/12/'> December </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/11/'> November </a> (3) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/10/'> October </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/08/'> August </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/06/'> June </a> (3) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/05/'> May </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/04/'> April </a> (3) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/03/'> March </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/02/'> February </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2022/01/'> January </a> (1) </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/'> 2021 </a> (24) <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/12/'> December </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/10/'> October </a> (3) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/09/'> September </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/08/'> August </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/06/'> June </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/05/'> May </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/04/'> April </a> (3) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/03/'> March </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/02/'> February </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2021/01/'> January </a> (10) </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/'> 2020 </a> (36) <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/12/'> December </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/11/'> November </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/10/'> October </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/09/'> September </a> (4) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/08/'> August </a> (5) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/07/'> July </a> (8) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/06/'> June </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/04/'> April </a> (3) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/02/'> February </a> (4) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2020/01/'> January </a> (5) </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/'> 2019 </a> (27) <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/12/'> December </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/11/'> November </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/10/'> October </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/09/'> September </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/08/'> August </a> (11) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/05/'> May </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/04/'> April </a> (3) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/03/'> March </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/02/'> February </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2019/01/'> January </a> (2) </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/'> 2018 </a> (22) <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/12/'> December </a> (7) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/11/'> November </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/10/'> October </a> (4) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/09/'> September </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/08/'> August </a> (3) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/07/'> July </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/06/'> June </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/05/'> May </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/04/'> April </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2018/01/'> January </a> (1) </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/'> 2017 </a> (19) <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/12/'> December </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/10/'> October </a> (3) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/09/'> September </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/08/'> August </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/07/'> July </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/05/'> May </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/04/'> April </a> (6) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/03/'> March </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2017/02/'> February </a> (2) </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/'> 2016 </a> (17) <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/12/'> December </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/11/'> November </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/10/'> October </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/09/'> September </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/08/'> August </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/07/'> July </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/06/'> June </a> (3) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/03/'> March </a> (3) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/02/'> February </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2016/01/'> January </a> (1) </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/'> 2015 </a> (33) <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/12/'> December </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/11/'> November </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/10/'> October </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/09/'> September </a> (4) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/08/'> August </a> (6) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/07/'> July </a> (5) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/06/'> June </a> (4) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/05/'> May </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/04/'> April </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/03/'> March </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/02/'> February </a> (3) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2015/01/'> January </a> (2) </li> </ul> </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/'> 2014 </a> (11) <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/12/'> December </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/11/'> November </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/10/'> October </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/09/'> September </a> (1) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/08/'> August </a> (2) </li> </ul> <ul class='hierarchy'> <li class='archivedate collapsed'> <a class='toggle' href='javascript:void(0)'> ►  </a> <a class='post-count-link' href='https://googleprojectzero.blogspot.com/2014/07/'> July </a> (3) </li> </ul> </li> </ul> </div> </div> <script type='text/javascript'> //<![CDATA[ (function(){ let archive_list = document.getElementById('ArchiveList'); if (archive_list == null) return; let cur_year = archive_list.querySelector('.post-count-link').innerText.trim() - 0; let last_year = 2014; let elements = []; const MONTHS = ',Jan,Feb,Mar,Apr,May,Jun,Jul,Aug,Sep,Oct,Nov,Dec'.split(','); let parent = document.getElementById('ArchiveList'); while (parent.childNodes.length) parent.removeChild(parent.childNodes[0]); function fetch_next_year() { let url = 'https://googleprojectzero.blogspot.com/?action=getTitles&widgetId=BlogArchive1&widgetType=BlogArchive&responseType=js&path=https%3A%2F%2Fgoogleprojectzero.blogspot.com%2F'+cur_year; fetch(url).then(resp => { if (!resp.ok) { console.log('http error'); return; } resp.text().then(text => { let scope = { _WidgetManager: { _HandleControllerResult: (name, method, results) => { elements.push(document.createElement('hr')); let year_header = document.createElement('div'); year_header.appendChild(document.createTextNode(cur_year)); year_header.style.fontSize = 'large'; elements.push(year_header); let list = document.createElement('ul'); elements.push(list); for (let obj of results.posts) { let link_parts = obj.url.split('/'); let year = link_parts[3]; let month = link_parts[4]; let el = document.createElement(/*'div'*/'li'); el.style.listStyleType = 'square'; el.style.listStylePosition = 'inside'; let link = document.createElement('a'); el.appendChild(link); link.appendChild(document.createTextNode(obj.title)); link.href = obj.url; let date_trailer = document.createElement('span'); el.appendChild(date_trailer); //date_trailer.appendChild(document.createTextNode(' ('+year+'-'+month+')')); date_trailer.appendChild(document.createTextNode(' ('+MONTHS[parseInt(month, 10)]+')')); //date_trailer.style.textAlign = 'right'; //elements.push(el); list.appendChild(el); } } } }; with (scope) { eval(text); } if (cur_year == last_year) { finish(); } else { cur_year--; fetch_next_year(); } }); }); } fetch_next_year(); function finish() { for (let obj of elements) { parent.appendChild(obj); } console.log(elements); } })(); //]]> </script> <div class='clear'></div> </div> </div></div> <table border='0' cellpadding='0' cellspacing='0' class='section-columns columns-2'> <tbody> <tr> <td class='first columns-cell'> <div class='sidebar no-items section' id='sidebar-right-2-1'></div> </td> <td class='columns-cell'> <div class='sidebar no-items section' id='sidebar-right-2-2'></div> </td> </tr> </tbody> </table> <div class='sidebar no-items section' id='sidebar-right-3'></div> </aside> </div> </div> </div> <div style='clear: both'></div>  </div>  </div> </div> <div class='main-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> <footer> <div class='footer-outer'> <div class='footer-cap-top cap-top'> <div class='cap-left'></div> <div class='cap-right'></div> </div> <div class='fauxborder-left footer-fauxborder-left'> <div class='fauxborder-right footer-fauxborder-right'></div> <div class='region-inner footer-inner'> <div class='foot no-items section' id='footer-1'></div> <table border='0' cellpadding='0' cellspacing='0' class='section-columns columns-2'> <tbody> <tr> <td class='first columns-cell'> <div class='foot no-items section' id='footer-2-1'></div> </td> <td class='columns-cell'> <div class='foot no-items section' id='footer-2-2'></div> </td> </tr> </tbody> </table>  <div class='foot section' id='footer-3' name='Footer'><div class='widget Attribution' data-version='1' id='Attribution1'> <div class='widget-content' style='text-align: center;'> Powered by <a href='https://www.blogger.com' target='_blank'>Blogger</a>. </div> <div class='clear'></div> </div></div> </div> </div> <div class='footer-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </footer>  </div> </div> <div class='content-cap-bottom cap-bottom'> <div class='cap-left'></div> <div class='cap-right'></div> </div> </div> </div> <script type='text/javascript'> window.setTimeout(function() { document.body.className = document.body.className.replace('loading', ''); }, 10); </script> <script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/984859869-widgets.js"></script> <script type='text/javascript'> window['__wavt'] = 'AOuZoY6EYsrtz6W131JVnFhMioLo4si21g:1732526370880';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d4838136820032157985','//googleprojectzero.blogspot.com/2023/08/','4838136820032157985'); _WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '4838136820032157985', 'title': 'Project Zero', 'url': 'https://googleprojectzero.blogspot.com/2023/08/', 'canonicalUrl': 'https://googleprojectzero.blogspot.com/2023/08/', 'homepageUrl': 'https://googleprojectzero.blogspot.com/', 'searchUrl': 'https://googleprojectzero.blogspot.com/search', 'canonicalHomepageUrl': 'https://googleprojectzero.blogspot.com/', 'blogspotFaviconUrl': 'https://googleprojectzero.blogspot.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': false, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': 'UA-240546891-1', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Project Zero - Atom\x22 href\x3d\x22https://googleprojectzero.blogspot.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Project Zero - RSS\x22 href\x3d\x22https://googleprojectzero.blogspot.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Project Zero - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/4838136820032157985/posts/default\x22 /\x3e\n', 'meTag': '', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': false, 'adsenseAutoAds': false, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/da8f33dd880cc4f1', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'X', 'key': 'twitter', 'shareMessage': 'Share to X', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': false, 'jumpLinkMessage': 'Read more', 'pageType': 'archive', 'pageName': 'August 2023', 'pageTitle': 'Project Zero: August 2023'}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': false, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Project Zero', 'description': 'News and updates from the Project Zero team at Google', 'url': 'https://googleprojectzero.blogspot.com/2023/08/', 'type': 'feed', 'isSingleItem': false, 'isMultipleItems': true, 'isError': false, 'isPage': false, 'isPost': false, 'isHomepage': false, 'isArchive': true, 'isLabelSearch': false, 'archive': {'year': 2023, 'month': 8, 'rangeMessage': 'Showing posts from August, 2023'}}}]); _WidgetManager._RegisterWidget('_NavbarView', new _WidgetInfo('Navbar1', 'navbar', document.getElementById('Navbar1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_HeaderView', new _WidgetInfo('Header1', 'header', document.getElementById('Header1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'main', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/2646514562-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/1964470060-lightbox_bundle.css'}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogSearchView', new _WidgetInfo('BlogSearch1', 'sidebar-right-1', document.getElementById('BlogSearch1'), {}, 'displayModeFull')); _WidgetManager._RegisterWidget('_PageListView', new _WidgetInfo('PageList1', 'sidebar-right-1', document.getElementById('PageList1'), {'title': 'Pages', 'links': [{'isCurrentPage': false, 'href': 'https://googleprojectzero.blogspot.com/p/about-project-zero.html', 'id': '4384467920505278144', 'title': 'About Project Zero'}, {'isCurrentPage': false, 'href': 'https://googleprojectzero.blogspot.com/p/working-at-project-zero.html', 'id': '2459334498880008057', 'title': 'Working at Project Zero'}, {'isCurrentPage': false, 'href': 'https://googleprojectzero.blogspot.com/p/0day.html', 'id': '3414239791814532209', 'title': '0day \x22In the Wild\x22'}, {'isCurrentPage': false, 'href': 'https://googleprojectzero.github.io/0days-in-the-wild/rca.html', 'title': '0day Exploit Root Cause Analyses'}, {'isCurrentPage': false, 'href': 'https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html', 'id': '2935252455704572784', 'title': 'Vulnerability Disclosure FAQ'}], 'mobile': false, 'showPlaceholder': true, 'hasCurrentPage': false}, 'displayModeFull')); _WidgetManager._RegisterWidget('_BlogArchiveView', new _WidgetInfo('BlogArchive1', 'sidebar-right-1', document.getElementById('BlogArchive1'), {'languageDirection': 'ltr', 'loadingMessage': 'Loading\x26hellip;'}, 'displayModeFull')); _WidgetManager._RegisterWidget('_AttributionView', new _WidgetInfo('Attribution1', 'footer-3', document.getElementById('Attribution1'), {}, 'displayModeFull')); </script> </body> </html>