本文将mark下ARM pointer authentication的相关notes。

核心目的

Pointer Authentication(PA)的核心目的是验证指针(如返回地址、函数指针等)是否被恶意篡改。它通过为指针添加加密认证码(PAC, Pointer Authentication Code)并在使用前验证其有效性来实现。

工作原理

  1. 生成PAC(签名):
    • 使用一个密钥(CPU寄存器存储)、指针的虚拟地址和额外的上下文信息(如堆栈指针),通过加密算法(ARM选择的是QARMA算法)为指针生成一个短小的PAC
    • PAC被存储在指针值中未使用的最高位中。因为64位架构中,虚拟地址通常不会全部使用(如48位),高位空间是空闲的
  2. 验证与恢复(验证):
    • 在使用指针前(如函数返回前),CPU会执行验证指令(如AUT*)
    • 系统会使用相同的密钥和上下文重新计算PAC,并与指针中存储的PAC进行比较
    • 如果匹配,则移除PAC,恢复原始指针,程序正常执行
    • 如果不匹配,则指针会被置为一个非法值,使用时通常会触发一个异常(如段错误),从而阻止攻击

Pointer Authentication in ARMv8.3-A

PA is intended for checking the integrity of pointers with minimal size and performance impact. It is available when the processor executes in 64-bit ARM state(AArch64). PA adds instructions for creating and authenticating pointer authentication codes (PACs). The PAC is a tweakable message authentication code (MAC) calculated over the pointer value and a 64-bit modifier as the tweak. Different combinations of key and modifier pairs allow domain separation among different classes of authenticated pointers. This prevents authenticated pointer values from being arbitrarily interchangeable with one another.

PA provides five different keys for PAC generation: two for code pointers, two for data pointers, and one for generic use. The keys are stored in hardware registers configured to be accessible only from a higher privilege level: e.g., the kernel maintains the keys for a user space process, generating keys for each process at process exec. The keys remain constant throughout the process lifetime, whereas the modifier is given in an instruction-specific register operand on each PAC creation and authentication (i.e., MAC verification). Thus it can be used to describe the run-time context in which the pointer is created and used. The modifier value is not necessarily confidential but ideally such that it 1) precisely describes the context of use in which the pointer is valid, and 2) cannot be influenced by the attacker

Example: PA-based return address signing

参考资料:

  1. PAC it up: Towards Pointer Integrity using ARM Pointer Authentication
  2. deepseek prompt:简要介绍下arm Pointer Authentication
  3. Pointer Authentication on Arm
  4. https://lwn.net/Articles/718888/
  5. Pointer Authentication on ARMv8.3: Design and Analysis of the New Software Security Instructions