ARM Pointer Authentication
The ARMv8.3 pointer authentication extension adds functionality to detect modification of pointer values, mitigating certain classes of attack such as ROP/JOP attacks. In essence, it attaches a cryptographic signature to pointer values. Those signatures can be verified before a pointer is used. An attacker with lack of the key used to create the signatures, cannot create valid pointers for use in an exploit.
When CONFIG_ARM64_POINTER_AUTHENTICATION is selected, and relevant HW support is present, the kernel will assign a random APIAKey value to each process at exec*() time. The key is assigned at exec() time, not at process creation. So threads share a key, and parent and child will share a key after fork() until one of them calls exec().
New instructions are added which can be used to:
Insert a PAC into a pointer Strip a PAC from a pointer Authenticate strip a PAC from a pointer
PAC instruction sign pointers become not usable pointer (Pointer + PAC)
AUT instruction authenticate PAC if PAC match the result of the original pointer if not the result will be an invalid pointer (fault).
XPAC instruction stip PAC remove authentication and restored to the original pointer
The new PAC instruction can be used to calculate the authentication code and stored within pointer value. The value containing the authentication code cannot be dereferenced directly, since, without the sign-extension bits, it is no longer recognized as a valid address.
Regaining a usable pointer requires using the AUT instruction, which will recalculate the authentication code and compare it to what is found in te authenticated pointer value. If the two match, the authentication code will be removed otherwise, the pointer will be modified to ensure a fault should it be dereferenced. Thus, any attempt to use a pointer that lacks a proper authentication code will lead to a crash.
GCC 7 compiler include basic support for pointer authentication in the form of the -msign-return-address option.
Example without arm pointer authentication
0000000000000724 <main>: 724: a9bf7bfd stp x29, x30, [sp, #-16]! 728: 910003fd mov x29, sp 72c: 90000000 adrp x0, 0 <_init-0x598> 730: 911fa000 add x0, x0, #0x7e8 734: 97ffffb7 bl 610 <printf@plt> 738: d503201f nop 73c: a8c17bfd ldp x29, x30, [sp], #16 740: d65f03c0 ret 744: 00000000 .inst 0x00000000 ; undefined
Example with arm pointer authentication
0000000000000724 <main>: 724: d503233f paciasp 728: a9bf7bfd stp x29, x30, [sp, #-16]! 72c: 910003fd mov x29, sp 730: 90000000 adrp x0, 0 <_init-0x598> 734: 911fc000 add x0, x0, #0x7f0 738: 97ffffb6 bl 610 <printf@plt> 73c: d503201f nop 740: a8c17bfd ldp x29, x30, [sp], #16 744: d50323bf autiasp 748: d65f03c0 ret 74c: 00000000 .inst 0x00000000 ; undefined