Software-Emulated Pointer Authentication for Control-Flow Integrity Protection
- Typ der Arbeit: Bachelorarbeit
- Status der Arbeit: abgeschlossen
- Betreuer: Gabriele Serra, Florian Rommel, Daniel Lohmann
- Bearbeiter: Illia Ostapyshyn
The shortcomings of existing Control-Flow Integrity techniques, in particular their significant performance overhead, have motivated the development of hardware-based solutions. One such protection technique is the pointer authentication code (PAC) mechanism introduced in the ARMv8.3-A architecture. Facilitated by hardware support, this feature provides efficient means for protection of code and data pointers with negligible performance and memory overhead. In line with the expectation that this technique will find wide adoption in the industry, mainstream operating systems and major compilers already support PAC. However, commercial off-the-shelf SoCs with hardware including this protection mechanism are currently sparse.
This work presents software-emulated pointer authentication mechanism implemented as a Linux kernel extension. To avoid the performance overhead of context switching, the communication between userspace applications and the OS extension does not involve system calls. Instead, the communication takes place exclusively via a shared memory area. The user fully commits one or more CPU cores to continuously poll the shared memory and process incoming pointer authentication requests. The kernel extension and the accompanying GCC plugin constitute a complete CFI solution for return address protection. To further mitigate the run-time overhead, the GCC plugin features several heuristics to omit the authentication for functions where a stack-buffer overflow is unlikely. The evaluation using the multithreaded memory-caching system memcached shows a moderate increase in average response latency of 2.7% on x86-64 and 30.3% on AArch64. This thesis builds upon and seeks to benefit related works related to the emulation of ARMv8.3-A pointer authentication by presenting solutions for support of multithreaded applications and improved code instrumentation plugin for return address protection.