-
What is a gadget in Return oriented-programming (ROP) and Jump-oriented programming (JOP) attacks?
A gadget is a piece of existing code which ends in either a function return or an indirect (absolute) branch. In ROP and JOP attacks, these gadgets are chained together to form new programs.
-
Describe how Branch Target Identification (BTI) limits the scope of JOP attacks.
BTI restricts indirect branches to only target-ing-
BTI
instructions, orPACIxSP
andPACIxZ
instructions. This greatly reduces the number of possible targets and makes it difficult to form chains of gadgets. -
When using pointer authentication, where is the signature of an address stored?
In the upper bits of the virtual address.
-
In the Arm Memory Tagging Extension (MTE), what happens when the tag issued alongside a memory access does not match the allocation tag?
This situation is known as a tag checking failure. The behavior is configurable, via
SCTLR_ELx.TCF
. The failure can be ignored, reported synchronously, or reported asynchronously. -
How many bits are used to store the logical tag in the Arm memory tagging extension?
4 bits, but the values
0b0000
and0b1111
are reserved.