Hello, I am a student of Master’s Degree in Embedded Computing Systems offered by Sant’Anna School of Advanced Studies and the University of Pisa. I am carrying out a cyber security thesis project focusing in particular on Pointer Authentication of ARM. I have some questions: 1) why do you need XPAC * instruction? Is not it a problem for security in case of an attack? If so, is it possible to trap only the use of this instruction for a certain exception level? 2) When an authentication fails, a translation faults occurs. Is it possible to know, from the values of registers, that this is given by a failed authentication and not for another reason? 3) What types of attacks PAC can block and which ones do not? 4) Which ARM processors implement PAC?
Thank you for your answer.
some things are not clear to me yet.for question 1, I would like to know why the instruction for strip a PAC from a pointer is designed. In which cases is it useful?for question 2, I would like to know more specifically if and how it is possible to understand that the translation fault is due to the failure of authentication by reading the registers. I would like to handle the fault only if the translation fault is caused by the failure of the authentication of a PAC.
Hi Giulia,
1. Library code performing stack unwinding may need to use XPAC* rather than attempting authentication and/or acquiring the PAC masks via ptrace.
And kernel perf will use xpac* when unwinding, here's an example:
https://patchwork.kernel.org/patch/10077257/
2. If the check fails, the second-top and third-top bits of the extension bits in the pointer authentication code field are corrupted to ensure that accessing the address will give a translation fault. Can check this error bits of the fault address if identify if it's a pac fault.