Most attacks against software rely on subverting a program's control flow to execute malicious code. Control-flow integrity (CFI) refers to a set of security techniques that aim to limit a program's flow to its original execution path. In this talk we will explore the state-of-the-art in CFI mitigations on Arm-based systems, namely Pointer Authentication (PAuth) and Branch Target Identification (BTI). These are hardware-assisted mechanisms deployed in the latest System-On-Chip architectures, raising the bar against software exploitation.
We will begin with an overview of the attack vectors that motivated the development of these mitigations. Next, we will dive into the implementation details, examining Arm's additions to the instruction set and system registers. We will complement this discussion with an overview of compiler support, and provide some real-world examples of protected code. Moving on, we will evaluate the effectiveness of PAuth and BTI, using metrics like the likelihood of successful attacks, and the prevalence of gadgets. Finally, we will investigate the impact of deploying PAuth and BTI on system performance and code size, to provide a comprehensive evaluation.
Quick Info
Content
If the website supports showing Audience Requirements, otherwise it can also be appended at the end of the summary:
Basic understanding of buffer overflows & return-oriented programming (RoP) would be useful - but not necessary - for keeping up with this talk.
Speaker
Michalis Pappas
Michalis is an engineer specializing in ARM-based systems, security, and virtualization technologies. He currently works on lightweight virtualization at unikraft.io and is an active contributor to the open-source Unikraft project. Previously, he worked on board bring-up, secure boot, trusted execution environments, and virtualization for embedded automotive systems.