Arm A-Profile Architecture Developments 2018: Armv8.5-A

Working with its architecture licensees and ecosystem partners, Arm continues to evolve its architecture, developing new functionality to meet the needs of both new and existing markets.

This blog discusses some of the key additions to the A-Profile architecture in 2018, known collectively as Armv8.5-A.

Full Instruction Set and System Register information is available via our technical webpages. The complete Arm Architecture Reference Manual (ArmARM), documenting Armv8.5-A and earlier functionality, is due for release before the end of Q1 2019. Details for previous updates to the A-Profile architecture are available here: Armv8.1-AArmv8.2-AArmv8.3-A, and Armv8.4-A.

In discussing these developments now, we aim to work with relevant open source projects, to ensure the necessary architecture support is available, ready for the release of the new hardware.

Security: Vulnerability Detection

The discovery of Spectre and Meltdown has dominated the security narrative for the past 12 months. However, these are not the only security challenges we face today, and Arm has been working with its partners on developing hardware tools to improve software resilience to attacks.

Many of the most common software vulnerabilities are caused by buffer overruns, and use-after-free coding errors. Buffer overruns refer to an instance where a program tries to access memory beyond its intended range. Use-after-free errors occur when a program accesses memory after it has freed it for reuse. Often, these errors are situation-dependent, requiring specific circumstances in order to occur. Famously, the Morris worm in 1988 was the first documented use of a buffer overrun for malicious purposes. Thirty years later, we are still facing the same software issues.

Memory Tagging

Armv8.5-A incorporates a new feature called Memory Tagging. When Memory Tagging is in use, a tag is assigned to each memory allocation. All accesses to memory must be made via a pointer with the correct tag. Use of an incorrect tag is noted and the operating system can choose to report it to the user immediately, or to note the process in which it occurred, for later investigation.

For instance, in the diagram below the access to the memory at 0x8000 will work because the pointer, used to make access, has the same tag (represented by a color) as the memory being accessed. However, the access to 0x9000 will fail, because the pointer has a different tag to the memory.

MTE Example Diagram

Memory Tagging can be used in a number of scenarios. During development, it can be used to detect memory errors in the test environment. Following deployment of an application, it can be used to detect issues in the field, and to provide feedback to the developer. Once feedback has been received, vulnerabilities can be analyzed and addressed before they are exploited by an attacker.

Security: Limiting Exploits

Once an attacker has found a vulnerability to exploit, their next aim is to execute code to gain control of the machine they have accessed. Techniques used include ROP and JOP Attacks (Return- and Jump-Oriented Programming). These techniques find small sections (called gadgets) of vulnerable programs that chain together to run the code the attacker wants. These methods work because the architecture puts no restrictions on where code can branch to, or where branches can have come from. This enables attackers to use small snippets of functions, which do what they want.

In Armv8.3-A, we introduced the Pointer Authentication feature, which can be used to ensure functions return to the location expected by the program.

In Armv8.5-A, we introduce Branch Target Indicators (BTI). Systems supporting BTI can enforce that indirect branches only go to code locations where the instruction is one of a small acceptable list. This reduces the ability of an attacker to execute arbitrary code.

These two features work together to significantly reduce the number of gadgets available to an attacker. The gadgets that remain available are large in size, making it much harder for an attacker to make a viable exploit, even if they find a vulnerability that lets them gain access to a machine.

Other Functionality

 Armv8.5-A also contains other small features, including:

  • Cache Clean to Point of Deep Persistence – to support emerging standards in the Persistent Memory space.
  • Finer grained traps for virtualization – to improve performance of virtual machines.
  • Support for Debug over Power Down to enable external debugging of a machine across a power reset.
  • Random Number instructions – providing Deterministic and True Random Numbers conforming to various National and International Standards.

Summary

This blog provides a brief introduction to the latest features included in the Armv8-A architecture as Armv8.5-A. More detailed information can be found on our Developer website. The next step will be working with our ecosystem partners, including Linaro, to ensure that open source software is enabled, to make use of this functionality as soon as the hardware becomes available. Further details will be presented at Linaro Connect in Vancouver 17-21 September 2018.

Find out about our exploration tools

Anonymous