Arm Pointer Authentication (PAuth) and Branch Target Identification (BTI) are hardware-assisted protections against control-flow integrity attacks. Widely deployed in architectures of major System-on-Chip vendors, these technologies play a critical role in raising the bar against software exploitation.
In this talk, we will explore PAuth and BTI, focusing on their implementation and effectiveness.
We will begin with an overview of the types of attacks that led to the development of PAuth and BTI, emphasizing the need for hardware-enforced protections in the security ecosystem. Next, we will take a deep dive into the implementation, closely examining the additions made to the instruction set architecture and system registers to implement these features. We will complement this with an overview of compiler support, shedding light on the role of compilers in leveraging these features to enforce control-flow integrity, and provide some real-world examples that explore the quality of compiler implementation in this context. Next, we will evaluate the effectiveness of these mitigations both from probabilistic and quantitative perspectives. By considering parameters such as the probability of a successful attack and the prevalence of gadgets, we will provide insights into the effectiveness of PAuth and BTI. Finally, we will explore the impact of deploying PAuth and BTI and present measurements on system performance and code size to provide a comprehensive evaluation.
Quick Info
Content
Speaker
Michalis Pappas
Michalis is an engineer specializing in ARM-based systems, security, and virtualization technologies. He currently works on lightweight virtualization at unikraft.io and is an active contributor to the open-source Unikraft project. Previously, he worked on board bring-up, secure boot, trusted execution environments, and virtualization for embedded automotive systems.