Pointer Authentication
USENIX Security '19 - PAC it up: Towards Pointer Integrity using ARM Pointer Authentication
There are two main operations needed for Pointer Authentication: computing and adding a PAC, and verifying a PAC and restoring the pointer value. These are handled by the PAC* and AUT* sets of instructions respectively. If verification fails during the AUT instruction, the processor replaces the PAC with a specific pattern that makes the pointer value an illegal address. The actual error detection happens through the illegal address exception when an invalid pointer is dereferenced. This design decouples error handling from the instruction and removes the need to use additional instructions for error handling. The exception handler can distinguish between an illegal address exception and an authentication failure by checking the pattern that the AUT instruction uses to signal the error.
Pointer Authentication Code for Instruction Address Stack Pointer
Pointer Authentication Code for Instruction Base Stack Pointer
Branch Target Identification
Memory Tagging Extension
AAPCS64 -> ARM Architecture Procedure Call Standard for 64-bit
These routines can be used for error handling recovery, and are included in <setjmp.h>
Saves the current execution context into a variable of type jmp_buf. It returns 0 on the first call, and a value different from zero if program control is restored with longjmp.
Loads the execution context env saved by a previous call to setjmp. If the function that called setjmp has exited, the behavior is undefined (in other words, only long jumps up the call stack are allowed).
#include <math.h>
#include <setjmp.h>
#include <stdio.h>
typedef enum { DIV_BY_ZERO = 1 } division_exceptions;
jmp_buf divide_exception_h;
float divide(float x, float y) {
if (y < 1e-6) {
longjmp(divide_exception_h, DIV_BY_ZERO);
}
return x / y;
}
int main(int argc, char **argv) {
switch (setjmp(divide_exception_h)) {
case 0:
float a = 1.0f;
float b = 2.0f;
float r = divide(a, b);
printf("%f = %f / %f\n", r, a, b);
break;
case DIV_BY_ZERO:
printf("Cannot divide by zero...\n");
break;
}
switch (setjmp(divide_exception_h)) {
case 0:
float a = 1.0f;
float b = 0.0f;
float r = divide(a, b);
printf("%f = %f / %f\n", r, a, b);
break;
case DIV_BY_ZERO:
printf("Cannot divide by zero...\n");
break;
}
return 0;
}Special care is taken with X18 register which is reserved as a platform register.
jmp_buf is defined at src. Which stores register states.
add_entrypoint_object definition
[[gnu::naked]] attribute
Use this attribute on the ARM, AVR, MCORE, MSP430, NDS32, RL78, RX and SPU ports to indicate that the specified function does not need prologue/epilogue sequences generated by the compiler. It is up to the programmer to provide these sequences. The only statements that can be safely included in naked functions are asm statements that do not have operands. All other statements, including declarations of local variables, if statements, and so forth, should be avoided. Naked functions should be used to implement the body of an assembly function, while allowing the compiler to construct the requisite function declaration for the assembler.
