PAC it up: Towards Pointer Integrity using ARM Pointer Authentication

“…Due to lack of publicly available PA-capable hardware we have used an evaluation approach similar to prior work [8,9]. We used the ARMv8-A Base Platform Fixed Virtual Platform (FVP), based on Fast Models 11.5, which supports ARMv8.3-A for functional evaluation.…”

“…Signed return addresses provides similar protection to stack canaries, i.e., if a stack-buffer overflow corrupts the return address, this is detected when the return address is verified before returning from a function (Figure 3). However, PA is vulnerable to reuse attacks where previously encountered signed pointers can be used to used to replace latter signed pointers using the same key and modifier [9]. For instance, -msign-return-address can be circumvented by reusing a prior return address signed using the same SP value.…”

“…PA-based return-address protection [8,9,14] already effectively serves as a canary by detecting return-address corruption. We therefore propose a design that can be efficiently and easily integrated with existing return-address protection schemes, but also provide a stand-alone setup.…”

“…The recently introduced ARMv8.3-A pointer authentication (PA) [1] hardware can be used to verify return addresses [14], effectively turning the return address itself into a stack canary. However, PA on its own is susceptible to reuse attacks, where an attacker substitutes one authenticated pointer with another [9]. State-of-the-art schemes harden A stack canary is a value placed on the stack so that it will be overwritten by a stack buffer that overflows to the return address.…”

Protecting the stack with PACed canaries

“…Due to lack of publicly available PA-capable hardware we have used an evaluation approach similar to prior work [8,9]. We used the ARMv8-A Base Platform Fixed Virtual Platform (FVP), based on Fast Models 11.5, which supports ARMv8.3-A for functional evaluation.…”

“…Signed return addresses provides similar protection to stack canaries, i.e., if a stack-buffer overflow corrupts the return address, this is detected when the return address is verified before returning from a function (Figure 3). However, PA is vulnerable to reuse attacks where previously encountered signed pointers can be used to used to replace latter signed pointers using the same key and modifier [9]. For instance, -msign-return-address can be circumvented by reusing a prior return address signed using the same SP value.…”

“…PA-based return-address protection [8,9,14] already effectively serves as a canary by detecting return-address corruption. We therefore propose a design that can be efficiently and easily integrated with existing return-address protection schemes, but also provide a stand-alone setup.…”

“…The recently introduced ARMv8.3-A pointer authentication (PA) [1] hardware can be used to verify return addresses [14], effectively turning the return address itself into a stack canary. However, PA on its own is susceptible to reuse attacks, where an attacker substitutes one authenticated pointer with another [9]. State-of-the-art schemes harden A stack canary is a value placed on the stack so that it will be overwritten by a stack buffer that overflows to the return address.…”

Protecting the stack with PACed canaries

“…One initial use case of PA is the signing and verification of return addresses [39]. However, current PA schemes are vulnerable to reuse attacks, where the adversary can reuse previously observed valid protected pointers [31]. Prior work [31,39] and current implementations by GCC 1 and LLVM 2 mitigate reuse attacks, but cannot completely prevent them.…”

Authenticated Call Stack