• State Accepted Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 22 subscribers
  • Views 16692 views
  • Users 0 members are here
Options
Related
How was your experience today?
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pointer Authentication of ARM

Giulia Ferri

Hello,
I am a student of Master’s Degree in Embedded Computing Systems offered by Sant’Anna School of Advanced Studies and the University of Pisa. I am carrying out a cyber security thesis project focusing in particular on Pointer Authentication of ARM. I have some questions:
1) why do you need XPAC * instruction? Is not it a problem for security in case of an attack? If so, is it possible to trap only the use of this instruction for a certain
exception level?
2) When an authentication fails, a translation faults occurs. Is it possible to know, from the values of registers, that this is given by a failed authentication and not for another reason?
3) What types of attacks PAC can block and which ones do not?
4) Which ARM processors implement PAC?

Parents
  • 0 Arm Employee Badge
    Giulia Ferri said:
    1) why do you need XPAC * instruction? Is not it a problem for security in case of an attack? If so, is it possible to trap only the use of this instruction for a certain
    exception level?

    Computer attacks are becoming more sophisticated. Examples of this are exploit mechanisms such as the use of gadgets in Return-Orientated-Programming (ROP) and Jump-Orientated-Programming (JOP). To mitigate against such exploits, Armv8.3-A introduces a feature that authenticates the contents of a register before it is used as the address for an indirect branch or data reference.  HCR_EL2, SCR_EL3 System register controls that trap accesses to Pointer authentication functionality: Traps to EL2/3 any use of an enabled Pointer authentication instruction.

    Giulia Ferri said:
    2) When an authentication fails, a translation faults occurs. Is it possible to know, from the values of registers, that this is given by a failed authentication and not for another reason?
    New instructions are added which can be used to:

* Insert a PAC into a pointer
* Strip a PAC from a pointer
* Authenticate strip a PAC from a pointer

If authentication succeeds, the code is removed, yielding the original pointer.
If authentication fails, bits are set in the pointer such that it is guaranteed
to cause a fault if used.
    Giulia Ferri said:
    3) What types of attacks PAC can block and which ones do not?

    Return-Orientated-Programming (ROP) and Jump-Orientated-Programming (JOP)

    Giulia Ferri said:
    4) Which ARM processors implement PAC?

    arm processors which support ARMv8.3-PAuth, Pointer Authentication, currently there's no processor support ARMv8.3-PAuth.

Reply
  • 0 Arm Employee Badge
    Giulia Ferri said:
    1) why do you need XPAC * instruction? Is not it a problem for security in case of an attack? If so, is it possible to trap only the use of this instruction for a certain
    exception level?

    Computer attacks are becoming more sophisticated. Examples of this are exploit mechanisms such as the use of gadgets in Return-Orientated-Programming (ROP) and Jump-Orientated-Programming (JOP). To mitigate against such exploits, Armv8.3-A introduces a feature that authenticates the contents of a register before it is used as the address for an indirect branch or data reference.  HCR_EL2, SCR_EL3 System register controls that trap accesses to Pointer authentication functionality: Traps to EL2/3 any use of an enabled Pointer authentication instruction.

    Giulia Ferri said:
    2) When an authentication fails, a translation faults occurs. Is it possible to know, from the values of registers, that this is given by a failed authentication and not for another reason?
    New instructions are added which can be used to:

* Insert a PAC into a pointer
* Strip a PAC from a pointer
* Authenticate strip a PAC from a pointer

If authentication succeeds, the code is removed, yielding the original pointer.
If authentication fails, bits are set in the pointer such that it is guaranteed
to cause a fault if used.
    Giulia Ferri said:
    3) What types of attacks PAC can block and which ones do not?

    Return-Orientated-Programming (ROP) and Jump-Orientated-Programming (JOP)

    Giulia Ferri said:
    4) Which ARM processors implement PAC?

    arm processors which support ARMv8.3-PAuth, Pointer Authentication, currently there's no processor support ARMv8.3-PAuth.

Children
No data