{"id":56343,"date":"2024-06-18T01:11:09","date_gmt":"2024-06-18T01:11:09","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/"},"modified":"2024-06-18T01:11:09","modified_gmt":"2024-06-18T01:11:09","slug":"arm-security-defense-shattered-by-speculative-execution-95-of-the-time","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/","title":{"rendered":"Arm security defense shattered by speculative execution 95% of the time"},"content":{"rendered":"<p>In 2018, chip designer Arm introduced a hardware security feature called Memory Tagging Extensions (MTE) as a defense against memory safety bugs. But it may not be as effective as first hoped.<\/p>\n<p>Implemented and supported last year in Google&#8217;s Pixel 8 and Pixel 8 Pro phones and previously <a href=\"https:\/\/docs.kernel.org\/next\/arch\/arm64\/memory-tagging-extension.html\">in Linux<\/a>, MTE aims to help detect memory safety violations, as well as hardening devices against attacks that attempt to exploit memory safety flaws.<\/p>\n<p><a href=\"https:\/\/www.memorysafety.org\/docs\/memory-safety\/\">Memory safety bugs<\/a> are said to be <a href=\"https:\/\/www.theregister.com\/2024\/03\/31\/rust_google_c\/\">responsible<\/a> for the majority of security vulnerabilities in large codebases. And for the past few years, there&#8217;s been a concerted effort in the public and private sector to reduce such flaws by promoting memory safe programming languages, software-based code hardening techniques, and hardware-specific options like SPARC ADI and Arm MTE.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>MTE works by tagging 16-byte blocks of physical memory with four bits of metadata. This metadata serves as a key that permits access. When a pointer references data within a tagged block of memory, the hardware checks to make sure the pointer contains a key matching that of the memory block to gain access to the data. A mismatch throws out an error.<\/p>\n<h3 class=\"crosshead\">Tag, you&#8217;re IT<\/h3>\n<p>Diving deeper, this is how MTE basically works. When MTE is active, programs can use <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/en.wikichip.org\/wiki\/arm\/mte\">special instructions<\/a> to tag 16-byte blocks of memory with a 4-bit key. For example, when allocating a chunk of memory from the heap, that chunk (aligned and rounded to 16 bytes) can be tagged with the same 4-bit key, and a pointer to that chunk is generated containing the key in its upper unused bits.<\/p>\n<p>When the program uses that pointer in future, referencing some part of the block, everything works fine. The pointer still contains the correct key. But if the block is freed and its key is changed, subsequent use of that stale pointer will trigger a fault, due to a mismatching key, which indicates a programming bug or a vulnerability exploit attempt, both of which you want to catch.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>And if the program is hijacked via some other vulnerability, and the code is made to reference a tagged block without the right key in the pointer, that will also be caught.<\/p>\n<p>Thus MTE can defend against attempts to exploit common C\/C++-style memory bugs, such as buffer overflows, heap-use-after-free, and stack-use-after-return, which can lead to software and systems being hijacked and compromised, and also help developers catch those bugs during testing. Or so Arm hopes.<\/p>\n<h3 class=\"crosshead\">Leaks<\/h3>\n<p>Unfortunately, MTE appears to be insufficiently secure to fulfill its security promises. Researchers affiliated with Seoul National University in South Korea, Samsung Research, and Georgia Institute of Technology in the US have found that they can break MTE through speculative execution.<\/p>\n<p>The authors \u2013 Juhee Kim, Jinbum Park, Sihyeon Roh, Jaeyoung Chung, Youngjoo Lee, Taesoo Kim, and Byoungyoung Lee \u2013 say as much in their <a href=\"https:\/\/arxiv.org\/abs\/2406.08719\">research paper<\/a>, &#8220;TikTag: Breaking Arm&#8217;s Memory Tagging Extension with Speculative Execution.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Having looked at MTE to assess whether it provides the claimed security benefit, the boffins say it does not. Instead, they found they could extract MTE tags in under four seconds around 95 per cent of the time.<\/p>\n<p>&#8220;[W]e found that speculative execution attacks are indeed possible against MTE, which severely harms the security assurance of MTE,&#8221; the authors report. &#8220;We discovered two new gadgets, named TIKTAG-v1 and TIKTAG-v2, which can leak the MTE tag of an arbitrary memory address.&#8221;<\/p>\n<p>This doesn&#8217;t blow the security of applications on Arm wide open; it means that MTE can be bypassed in the right conditions.<\/p>\n<h3 class=\"crosshead\">Security speculations<\/h3>\n<p><a href=\"https:\/\/www.intel.com\/content\/www\/us\/en\/developer\/articles\/technical\/software-security-guidance\/best-practices\/refined-speculative-execution-terminology.html\">Speculative execution<\/a> refers to the practice of performing certain operations on modern processors before they&#8217;re needed and either using the results, if required by the program&#8217;s path, or tossing them, if the program takes a different path. Doing so tends to make application execution faster, though it adds a significant security risk, exemplified by the Meltdown and Spectre bugs that <a href=\"https:\/\/www.theregister.com\/2018\/01\/04\/intel_amd_arm_cpu_vulnerability\/\">surfaced in 2018<\/a> and have plagued makers of hardware and software ever since.<\/p>\n<p>By using gadgets \u2013 machine instruction patterns in memory \u2013 the scientists found they could observe memory access patterns to determine the MTE tag of a given memory address. The root causes, they say, have to do with the way tag check results influence CPU data prefetching and the way the CPU core prevents store-and-load forwarding when there&#8217;s a tag check fault.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The authors say that their research expands <a href=\"https:\/\/www.vusec.net\/projects\/stickytags\/\">on prior work<\/a> from May 2024 that found MTE vulnerable to speculative probing. What&#8217;s more, they contend their findings challenge work by Google&#8217;s Project Zero that <a href=\"https:\/\/googleprojectzero.blogspot.com\/2023\/08\/mte-as-implemented-part-1.html\">found no side-channel attack<\/a> capable of breaking MTE.<\/p>\n<p>Using proof-of-concept code, MTE tags were ferreted out of Google Chrome on Android and the Linux kernel using this technique, with a success rate that exceeded 95 percent in less than four seconds, it&#8217;s claimed.<\/p>\n<p>The authors have made their code available <a href=\"https:\/\/github.com\/compsec-snu\/tiktag\">on GitHub<\/a>. &#8220;When TikTag gadgets are speculatively executed, cache state differs depending on whether the gadgets trigger a tag check fault or not,&#8221; the code repo explains. &#8220;Therefore, by observing the cache states, it is possible to leak the tag check results without raising any exceptions.&#8221;<\/p>\n<p>Access to leaked tags doesn&#8217;t ensure exploitation. It simply means that an attacker capable of exploiting a particular memory bug on an affected device wouldn&#8217;t be thwarted by MTE.<\/p>\n<p>The researchers disclosed their findings to Arm, which acknowledged them in <a href=\"https:\/\/developer.arm.com\/documentation\/109544\/latest\">a developer note<\/a> published in December 2023. The chip design firm said that timing differences in successful and failed tag checking can be enough to create an MTE speculative oracle \u2013 a mechanism to reveal MTE tags \u2013 in Cortex-X2, Cortex-X3, Cortex-A510, Cortex-A520, Cortex-A710, Cortex-A715, and Cortex-A720 processors.<\/p>\n<p>However, Arm argues that the risk does not undermine the value of MTE, even as it urges the implementation of mechanisms to prevent speculative oracles. Mitigations that place speculation barriers and limit gadget construction could be implemented in Chromium and Linux kernel code, the authors suggest.<\/p>\n<p>Google&#8217;s Chrome team, the researchers say, acknowledged the issue but declined to fix it in Chrome&#8217;s V8 engine because it &#8220;is not intended to guarantee the confidentiality of memory data and MTE tags.&#8221; The authors observe that they somewhat agree since Chrome does not implement MTE by default, though they still would like to see their suggested mitigations deployed.<\/p>\n<p>When the authors reported their work on MTE oracles in Pixel 8 devices to the Android Security Team in April 2024, they say the team acknowledged the issue, addressed it, and awarded a bug bounty.<\/p>\n<p>Arm and Google did not immediately respond to requests for comment. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2024\/06\/18\/arm_memory_tag_extensions_leak\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8216;TikTag&#8217; security folks find anti-exploit mechanism rather fragile In 2018, chip designer Arm introduced a hardware security feature called Memory Tagging Extensions (MTE) as a defense against memory safety bugs. But it may not be as effective as first hoped.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-56343","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Arm security defense shattered by speculative execution 95% of the time 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Arm security defense shattered by speculative execution 95% of the time 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-06-18T01:11:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Arm security defense shattered by speculative execution 95% of the time\",\"datePublished\":\"2024-06-18T01:11:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\\\/\"},\"wordCount\":1105,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\\\/\",\"name\":\"Arm security defense shattered by speculative execution 95% of the time 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2024-06-18T01:11:09+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Arm security defense shattered by speculative execution 95% of the time\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Arm security defense shattered by speculative execution 95% of the time 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/","og_locale":"en_US","og_type":"article","og_title":"Arm security defense shattered by speculative execution 95% of the time 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-06-18T01:11:09+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Arm security defense shattered by speculative execution 95% of the time","datePublished":"2024-06-18T01:11:09+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/"},"wordCount":1105,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/","url":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/","name":"Arm security defense shattered by speculative execution 95% of the time 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2024-06-18T01:11:09+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2ZnEJMK9vFbsVuz5NPU5PtAAAANU&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/arm-security-defense-shattered-by-speculative-execution-95-of-the-time\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Arm security defense shattered by speculative execution 95% of the time"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56343","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=56343"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/56343\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=56343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=56343"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=56343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}