We are running a survey to help us improve the experience for all of our members. If you see the survey appear, please take the time to tell us about your experience if you can.
Hello, I am a student of Master’s Degree in Embedded Computing Systems offered by Sant’Anna School of Advanced Studies and the University of Pisa. I am carrying out a cyber security thesis project focusing in particular on Pointer Authentication of ARM. I have some questions: 1) why do you need XPAC * instruction? Is not it a problem for security in case of an attack? If so, is it possible to trap only the use of this instruction for a certain exception level? 2) When an authentication fails, a translation faults occurs. Is it possible to know, from the values of registers, that this is given by a failed authentication and not for another reason? 3) What types of attacks PAC can block and which ones do not? 4) Which ARM processors implement PAC?
Giulia Ferri said:1) why do you need XPAC * instruction? Is not it a problem for security in case of an attack? If so, is it possible to trap only the use of this instruction for a certain exception level?
Computer attacks are becoming more sophisticated. Examples of this are exploit mechanisms such as the use of gadgets in Return-Orientated-Programming (ROP) and Jump-Orientated-Programming (JOP). To mitigate against such exploits, Armv8.3-A introduces a feature that authenticates the contents of a register before it is used as the address for an indirect branch or data reference. HCR_EL2, SCR_EL3 System register controls that trap accesses to Pointer authentication functionality: Traps to EL2/3 any use of an enabled Pointer authentication instruction.
Giulia Ferri said:2) When an authentication fails, a translation faults occurs. Is it possible to know, from the values of registers, that this is given by a failed authentication and not for another reason?
New instructions are added which can be used to: * Insert a PAC into a pointer * Strip a PAC from a pointer * Authenticate strip a PAC from a pointer If authentication succeeds, the code is removed, yielding the original pointer. If authentication fails, bits are set in the pointer such that it is guaranteed to cause a fault if used.
Giulia Ferri said:3) What types of attacks PAC can block and which ones do not?
Return-Orientated-Programming (ROP) and Jump-Orientated-Programming (JOP)
Giulia Ferri said:4) Which ARM processors implement PAC?
arm processors which support ARMv8.3-PAuth, Pointer Authentication, currently there's no processor support ARMv8.3-PAuth.