This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pointer Authentication of ARM

Hello,
I am a student of Master’s Degree in Embedded Computing Systems offered by Sant’Anna School of Advanced Studies and the University of Pisa. I am carrying out a cyber security thesis project focusing in particular on Pointer Authentication of ARM. I have some questions:
1) why do you need XPAC * instruction? Is not it a problem for security in case of an attack? If so, is it possible to trap only the use of this instruction for a certain
exception level?
2) When an authentication fails, a translation faults occurs. Is it possible to know, from the values of registers, that this is given by a failed authentication and not for another reason?
3) What types of attacks PAC can block and which ones do not?
4) Which ARM processors implement PAC?

Parents
  • Hi Giulia,

    1. Library code performing stack unwinding may need to use XPAC* rather than attempting authentication and/or acquiring
      the PAC masks via ptrace. 

    And kernel perf will use xpac* when unwinding, here's an example:

    https://patchwork.kernel.org/patch/10077257/

    2. If the check fails, the second-top and third-top bits of the extension bits in the pointer authentication code field are corrupted to ensure that accessing the address will give a translation fault. Can check this error bits of the fault address if identify if it's a pac fault.

Reply
  • Hi Giulia,

    1. Library code performing stack unwinding may need to use XPAC* rather than attempting authentication and/or acquiring
      the PAC masks via ptrace. 

    And kernel perf will use xpac* when unwinding, here's an example:

    https://patchwork.kernel.org/patch/10077257/

    2. If the check fails, the second-top and third-top bits of the extension bits in the pointer authentication code field are corrupted to ensure that accessing the address will give a translation fault. Can check this error bits of the fault address if identify if it's a pac fault.

Children
No data