ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension...
Transcript of ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension...
![Page 1: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/1.jpg)
ARMv8.3 Pointer Authentication
Mark Rutland <[email protected]>
Linux Security Summit
September 14, 2017
© ARM 2017
![Page 2: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/2.jpg)
Background
Memory protections are commonly deployed today... largely prevents code injection
Focus has shifted to code reuse attacks... e.g. ROP, JOP
Various mitigations today... e.g. ASLR, execute-only memory, CFI, canaries, pointer mangling, shadow stacks... not as widely deployed... can be difficult to integrate... can have non-trivial performance / code size impact... can inhibit debugging
2 © ARM 2017
![Page 3: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/3.jpg)
Pointer authentication
Optional ARMv8.3-A extension
Detects illicit modification of pointers (and data structures)... can be used to catch ROP, etc... simple to integrate... with minimal code size / performance impact
Backwards compatible subset... binaries using some features can run on any ARMv8-A CPU (without protection)... so distributions only need one set of binaries
3 © ARM 2017
![Page 4: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/4.jpg)
ROP protection example
paciaspstp fp, lr, [sp, #-FRAME_SIZE]!mov fp, sp
< function body >
ldp fp, lr, [sp], #FRAME_SIZEautiaspret
4 © ARM 2017
![Page 5: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/5.jpg)
Theory
5 © ARM 2017
![Page 6: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/6.jpg)
Pointer authentication basics
New instructions to sign and authenticate pointers... against a user-chosen (dynamic) context... e.g. return address is valid for a given stackframe... architecture provides mechanism, not policy
Uses a Pointer Authentication Code (PAC)... authentication metadata stored within pointer... so no additional space required
6 © ARM 2017
![Page 7: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/7.jpg)
Pointer Authentication Codes
Each PAC is derived from:A pointer valueA 64-bit context valueA 128-bit secret key
PAC algorithm P can be:QARMA1
IMPLEMENTATION DEFINED
Instructions hide the algorithm details
PACP
Pointer
Context
Key
1https://eprint.iacr.org/2016/444.pdf
7 © ARM 2017
![Page 8: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/8.jpg)
Keys
Secret 128-bit value... inhibit prediction / forging of PACs
Held in system registers... can be used, but not read/written at EL0 (userspace)... limited risk of disclosure / modificationSeveral keys:
APIAKey, APIBKey (instruction pointers)APDAKey, APDBKey (data pointers)APGAKey (data)
8 © ARM 2017
![Page 9: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/9.jpg)
Pointers in AArch64
63 56 55 54 VA_SIZE VA_SIZE-1 0
addressreservedlow/hightag/reserved
9 © ARM 2017
![Page 10: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/10.jpg)
Pointers in AArch64 (with authentication)
PAC embedded in reserved pointer bits... e.g. 7 bits with 48-bit VA with tagging... leaving remaining bits intact
PAC PAC63 56 55 54 VA_SIZE VA_SIZE-1 0
addressreservedlow/hightag
10 © ARM 2017
![Page 11: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/11.jpg)
Pointers in AArch64 (with authentication)
PAC embedded in reserved pointer bits... e.g. 15 bits with 48-bit VA without tagging... leaving remaining bits intact
PAC PAC63 56 55 54 VA_SIZE VA_SIZE-1 0
addressreservedlow/highreserved
11 © ARM 2017
![Page 12: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/12.jpg)
Operations: sign
PAC* instructions sign pointers with PACs
Result is not a usable pointer
PACP
Pointer
Context
Key
+ Pointer + PAC
12 © ARM 2017
![Page 13: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/13.jpg)
Operations: authenticate
AUT* instructions authenticate PACs
If PAC matches, result is the original pointer
If PAC doesn’t match, result is an invalid pointer → faults upon use
PACP
Pointer + PAC
Context
Key
=
Pointer
Invalid pointer
✓
x
13 © ARM 2017
![Page 14: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/14.jpg)
Operations: strip
XPAC* instructions strip PACs
Result is the original pointer
No authentication is performed
Pointer + PAC - Pointer
14 © ARM 2017
![Page 15: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/15.jpg)
Usage
15 © ARM 2017
![Page 16: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/16.jpg)
ROP vulnerable code
stp fp, lr, [sp, #-FRAME_SIZE]!mov fp, sp
< function body >
ldp fp, lr, [sp], #FRAME_SIZE
ret lr
16 © ARM 2017
![Page 17: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/17.jpg)
ROP protection
pacia lr, spstp fp, lr, [sp, #-FRAME_SIZE]!mov fp, sp
< function body >
ldp fp, lr, [sp], #FRAME_SIZEautia lr, spret lr
17 © ARM 2017
![Page 18: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/18.jpg)
ROP protection (backwards compatible)
paciaspstp fp, lr, [sp, #-FRAME_SIZE]!mov fp, sp
< function body >
ldp fp, lr, [sp], #FRAME_SIZEautiaspret lr
18 © ARM 2017
![Page 19: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/19.jpg)
Other uses
Many potential uses / contexts:locally-scoped pointers / stackframePLTs / PLT address (dynamic link time)opaque pointers / logical type, owner
Architecture provides mechanism, not policyneeds careful consideration of reuse attacks
Need to avoid signing gadgetsMay require multiple keys for distinct purposes
19 © ARM 2017
![Page 20: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/20.jpg)
Software support
20 © ARM 2017
![Page 21: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/21.jpg)
Linux Kernel
RFCs23 posted
Enables userspace use... per-process APIAKey initialized at exec() time... context-switched by kernel... retained across fork()
Ptrace interface to find PAC bits (but not keys)
Basic KVM support
No kernelspace pointer authentication (yet)
2https://lkml.kernel.org/r/[email protected]://lkml.kernel.org/r/[email protected]
21 © ARM 2017
![Page 22: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/22.jpg)
Toolchain
Upstream GCC 7 supports -msign-return-address=[non-leaf | all]... uses APIAKey, backwards-compatible instructions (by default)
GDB support pending kernel ptrace patches
Thanks to Jiong Wang, Yao Qi
22 © ARM 2017
![Page 23: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/23.jpg)
Questions?
23 © ARM 2017
![Page 24: ARMv8.3 Pointer Authentication · Pointerauthentication OptionalARMv8.3-Aextension Detectsillicitmodificationofpointers(anddatastructures)...canbeusedtocatchROP,etc...simpletointegrate](https://reader031.fdocuments.in/reader031/viewer/2022022717/5c29b92e09d3f216698b4d6a/html5/thumbnails/24.jpg)
The trademarks featured in this presentation are registered and/or unregistered trademarks of ARM limited
(or its subsidiaries) in the EU and/or elsewhere. All rights reserved. All other marks featured may be
trademarks of their respective owners.
Copyright © 2016 ARM Limited
© ARM 2017