Armv8.3 Pointer Authentication

Pointer Authentication codes

Armv8.3 saw the introduction of the Pointer Authentication feature. ROP attacks exploit memory errors to corrupt return addresses. This occurs by tricking functions to return to the wrong address. Short code sequences are then strung together, ending in RET instructions to form malicious programs. Pointer Authentication Codes (PAC) disrupts this by detecting modifications of pointers and data structures before use.

Pointers are usually 64 bits however, most systems have virtual address space that is smaller, leaving unused bits within the pointer that can house additional data. A Pointer Authentication Code (PAC) - a cryptographic signature, is added to the pointer, using up some of the remaining bits. This feature detects modifications of pointers and data structures. Pointer Authentication codes are embedded in reserved pointer bits, leaving remaining bits intact.

Armv8.5 Branch Target Identification

Jump-Orientated Programming (JOP) attacks exploit memory errors to corrupt branch addresses. These attacks string together gadgets, ending in indirect BR or BLR instructions, usually through a dispatcher gadget. Branch Target Identification (BTI) ensures that indirect branches can only go to matching BTI instructions and branching to other instructions causes an exception.

BTI instructions are used to guard against the execution of instructions that are not the intended targets of the branch. When outside of the guarded memory region, it executes as a No Operation (NOP). Within a guarded memory region, a BTI instruction compatible with the current value of PSTATE.BTYPE will not generate a Branch target exception and will allow execution of subsequent instructions within the memory region. The operand passed to a BTI determines the values of the PSTATE.BTYPE which the BTI instruction is compatible with. When PSTATE.BTYPE!=0b00, all instructions generate a branch target.

Armv8.5 Memory Tagging Extension

Learn more about Open Source support for Armv8.5-A Memory Tagging Extension. Access resource material for Linux Kernel, user space, and tools support for Stack Tagging.