PAC - AshokBhat/notes GitHub Wiki

About

• Pointer Authentication Codes (PAC)
• First introduced in Armv8.3-A
• Can mitigate against Return-Oriented-Programming (ROP) attacks

Description

• Cryptographically sign pointer addresses
• Before jumping to a pointer the signature is checked and an error occurs if the check fails.

Compiler options

• Compilers (clang and gcc) support -mbranch-protection option
• -mbranch-protection=pac-ret enables branch protection using PAC
• pac-ret enables return address signing for non-leaf functions using the A-key.
• +leaf increases the scope of return address signing to include leaf functions.
• +b-key uses B-key instructions to sign addresses instead of A-key instructions

Usage in Apple devices

• Return addresses are signed
  • with a key that’s unique per process,
  • using a salt derived from the stack pointer.
• Function pointers are signed
  • with a key that’s fixed across all processes,
  • allowing sharing of library code between processes.
• Virtual method table entries are signed
  • with a key that’s shared across all apps,
  • using a salt derived from the method signature.

See also

• [Armv8.3-A]] ](/AshokBhat/notes/wiki/[[BTI) | MTE

Resources

• https://www.qualcomm.com/media/documents/files/whitepaper-pointer-authentication-on-armv8-3.pdf
• Providing protection to complex software - Arm developer