Hello, I am a student of Master’s Degree in Embedded Computing Systems offered by Sant’Anna School of Advanced Studies and the University of Pisa. I am carrying out a cyber security thesis project focusing in particular on Pointer Authentication of ARM. I have some questions: 1) why do you need XPAC * instruction? Is not it a problem for security in case of an attack? If so, is it possible to trap only the use of this instruction for a certain exception level? 2) When an authentication fails, a translation faults occurs. Is it possible to know, from the values of registers, that this is given by a failed authentication and not for another reason? 3) What types of attacks PAC can block and which ones do not? 4) Which ARM processors implement PAC?
Hi Giulia,
1. Library code performing stack unwinding may need to use XPAC* rather than attempting authentication and/or acquiring the PAC masks via ptrace.
And kernel perf will use xpac* when unwinding, here's an example:
https://patchwork.kernel.org/patch/10077257/
2. If the check fails, the second-top and third-top bits of the extension bits in the pointer authentication code field are corrupted to ensure that accessing the address will give a translation fault. Can check this error bits of the fault address if identify if it's a pac fault.