Hello, I am a student of Master’s Degree in Embedded Computing Systems offered by Sant’Anna School of Advanced Studies and the University of Pisa. I am carrying out a cyber security thesis project focusing in particular on Pointer Authentication of ARM. I have some questions: 1) why do you need XPAC * instruction? Is not it a problem for security in case of an attack? If so, is it possible to trap only the use of this instruction for a certain exception level? 2) When an authentication fails, a translation faults occurs. Is it possible to know, from the values of registers, that this is given by a failed authentication and not for another reason? 3) What types of attacks PAC can block and which ones do not? 4) Which ARM processors implement PAC?
Giulia Ferri said:1) why do you need XPAC * instruction? Is not it a problem for security in case of an attack? If so, is it possible to trap only the use of this instruction for a certain exception level?
The ARMv8.3 pointer authentication extension adds functionality to detect modification of pointer values, mitigating certain classes of attack such as stack smashing, Return-Orientated-Programming (ROP) and Jump-Orientated-Programming (JOP). System register HCR_EL2/SCR_EL3 controls that trap accesses to Pointer authentication functionality: Traps to EL2/3 any use of an enabled Pointerauthentication instruction
Giulia Ferri said:2) When an authentication fails, a translation faults occurs. Is it possible to know, from the values of registers, that this is given by a failed authentication and not for another reason?
New instructions are added which can be used to: * Insert a PAC into a pointer * Strip a PAC from a pointer * Authenticate strip a PAC from a pointer If authentication succeeds, the code is removed, yielding the original pointer. If authentication fails, bits are set in the pointer such that it is guaranteed to cause a fault if used.
Giulia Ferri said:3) What types of attacks PAC can block and which ones do not?
making stack smashing, Return-Orientated-Programming (ROP) and Jump-Orientated-Programming (JOP) hard
Giulia Ferri said:4) Which ARM processors implement PAC?
Next generation processor that support armv8.3, PAuth, currently there's no such processor.
Thank you for your answer.
some things are not clear to me yet.for question 1, I would like to know why the instruction for strip a PAC from a pointer is designed. In which cases is it useful?for question 2, I would like to know more specifically if and how it is possible to understand that the translation fault is due to the failure of authentication by reading the registers. I would like to handle the fault only if the translation fault is caused by the failure of the authentication of a PAC.
Hi Giulia,
1. Library code performing stack unwinding may need to use XPAC* rather than attempting authentication and/or acquiring the PAC masks via ptrace.
And kernel perf will use xpac* when unwinding, here's an example:
https://patchwork.kernel.org/patch/10077257/
2. If the check fails, the second-top and third-top bits of the extension bits in the pointer authentication code field are corrupted to ensure that accessing the address will give a translation fault. Can check this error bits of the fault address if identify if it's a pac fault.