BTI - AshokBhat/notes GitHub Wiki

About

• Branch Target Indication
• First introduced in Armv8.5-A to prevent Jump-Oriented Programming related attacks

How does it work?

• BTI instructions serve as landing pad instructions
• Processor can be configured so that indirect branches (BR and BLR) can only allow target landing pad instructions
• If the target of an indirect branch is not a landing pad, a Branch Target Exception is generated

Compiler support

• Compilers (clang and gcc) support -mbranch-protection option

Option	Description
-mbranch-protection=bti	Enables branch protection using BTI
-mbranch-protection=standard	Enables PAC (pac-ret) and BTI (bti)
-mbranch-protection=none	Disables all types of branch protection

See also

• [Armv8.5-A]] ](/AshokBhat/notes/wiki/[[PAC) | MTE

Resources

• Providing protection to complex software - Arm developer