PACSafe: Leveraging ARM Pointer Authentication for Memory Safety in C/C++

by   Konrad Hohentanner, et al.

Memory safety bugs remain in the top ranks of security vulnerabilities, even after decades of research on their detection and prevention. Various mitigations have been proposed for C/C++, ranging from language dialects to instrumentation. Among these, compiler-based instrumentation is particularly promising, not requiring manual code modifications and being able to achieve precise memory safety. Unfortunately, existing compiler-based solutions compromise in many areas, including performance but also usability and memory safety guarantees. New developments in hardware can help improve performance and security of compiler-based memory safety. ARM Pointer Authentication, added in the ARMv8.3 architecture, is intended to enable hardware-assisted Control Flow Integrity. But since its operations are relatively generic, it also enables other, more comprehensive hardware-supported runtime integrity approaches. As such, we propose PACSafe, a memory safety approach based on ARM Pointer Authentication. PACSafe uses pointer signatures to retrofit full memory safety to C/C++ programs, protecting heap, stack, and globals against temporal and spatial vulnerabilities. We present a full, LLVM-based prototype implementation, running on an M1 MacBook Pro, i.e., on actual ARMv8.3 hardware. Our prototype evaluation shows that the system outperforms similar approaches under real-world conditions. This, together with its compatibility with uninstrumented libraries and cryptographic protection against attacks on metadata, makes PACSafe a viable solution for retrofitting memory safety to C/C++ programs.


PTAuth: Temporal Memory Safety via Robust Points-to Authentication

Temporal memory corruptions are commonly exploited software vulnerabilit...

PAC it up: Towards Pointer Integrity using ARM Pointer Authentication

Run-time attacks against programs written in memory-unsafe programming l...

Fat Pointers for Temporal Memory Safety of C

Temporal memory safety bugs, especially use-after-free and double free b...

MESH: A Memory-Efficient Safe Heap for C/C++

While memory corruption bugs stemming from the use of unsafe programming...

SPAM: Stateless Permutation of Application Memory

In this paper, we propose the Stateless Permutation of Application Memor...

RV-CURE: A RISC-V Capability Architecture for Full Memory Safety

Despite decades of efforts to resolve, memory safety violations are stil...

Please sign up or login with your details

Forgot password? Click here to reset