• State Accepted Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 22 subscribers
  • Views 16648 views
  • Users 0 members are here
2025 survey

We are running a survey to help us improve the experience for all of our members. If you see the survey appear, please take the time to tell us about your experience if you can.

Options
Related
How was your experience today?
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pointer Authentication of ARM

Giulia Ferri

Hello,
I am a student of Master’s Degree in Embedded Computing Systems offered by Sant’Anna School of Advanced Studies and the University of Pisa. I am carrying out a cyber security thesis project focusing in particular on Pointer Authentication of ARM. I have some questions:
1) why do you need XPAC * instruction? Is not it a problem for security in case of an attack? If so, is it possible to trap only the use of this instruction for a certain
exception level?
2) When an authentication fails, a translation faults occurs. Is it possible to know, from the values of registers, that this is given by a failed authentication and not for another reason?
3) What types of attacks PAC can block and which ones do not?
4) Which ARM processors implement PAC?

Parents
  • 0 Arm Employee Badge
    Giulia Ferri said:
    1) why do you need XPAC * instruction? Is not it a problem for security in case of an attack? If so, is it possible to trap only the use of this instruction for a certain
    exception level?

    Computer attacks are becoming more sophisticated. Examples of this are exploit mechanisms such as the use of gadgets in Return-Orientated-Programming (ROP) and Jump-Orientated-Programming (JOP). To mitigate against such exploits, Armv8.3-A introduces a feature that authenticates the contents of a register before it is used as the address for an indirect branch or data reference.  HCR_EL2, SCR_EL3 System register controls that trap accesses to Pointer authentication functionality: Traps to EL2/3 any use of an enabled Pointer authentication instruction.

    Giulia Ferri said:
    2) When an authentication fails, a translation faults occurs. Is it possible to know, from the values of registers, that this is given by a failed authentication and not for another reason?
    New instructions are added which can be used to:

* Insert a PAC into a pointer
* Strip a PAC from a pointer
* Authenticate strip a PAC from a pointer

If authentication succeeds, the code is removed, yielding the original pointer.
If authentication fails, bits are set in the pointer such that it is guaranteed
to cause a fault if used.
    Giulia Ferri said:
    3) What types of attacks PAC can block and which ones do not?

    Return-Orientated-Programming (ROP) and Jump-Orientated-Programming (JOP)

    Giulia Ferri said:
    4) Which ARM processors implement PAC?

    arm processors which support ARMv8.3-PAuth, Pointer Authentication, currently there's no processor support ARMv8.3-PAuth.

Reply
  • 0 Arm Employee Badge
    Giulia Ferri said:
    1) why do you need XPAC * instruction? Is not it a problem for security in case of an attack? If so, is it possible to trap only the use of this instruction for a certain
    exception level?

    Computer attacks are becoming more sophisticated. Examples of this are exploit mechanisms such as the use of gadgets in Return-Orientated-Programming (ROP) and Jump-Orientated-Programming (JOP). To mitigate against such exploits, Armv8.3-A introduces a feature that authenticates the contents of a register before it is used as the address for an indirect branch or data reference.  HCR_EL2, SCR_EL3 System register controls that trap accesses to Pointer authentication functionality: Traps to EL2/3 any use of an enabled Pointer authentication instruction.

    Giulia Ferri said:
    2) When an authentication fails, a translation faults occurs. Is it possible to know, from the values of registers, that this is given by a failed authentication and not for another reason?
    New instructions are added which can be used to:

* Insert a PAC into a pointer
* Strip a PAC from a pointer
* Authenticate strip a PAC from a pointer

If authentication succeeds, the code is removed, yielding the original pointer.
If authentication fails, bits are set in the pointer such that it is guaranteed
to cause a fault if used.
    Giulia Ferri said:
    3) What types of attacks PAC can block and which ones do not?

    Return-Orientated-Programming (ROP) and Jump-Orientated-Programming (JOP)

    Giulia Ferri said:
    4) Which ARM processors implement PAC?

    arm processors which support ARMv8.3-PAuth, Pointer Authentication, currently there's no processor support ARMv8.3-PAuth.

Children
No data