Protecting Indirect Branches against Fault Attacks using ARM Pointer Authentication

Pascal Nasahl*, Robert Schilling, Stefan Mangard

*Korrespondierende/r Autor/in für diese Arbeit

Publikation: Beitrag in Buch/Bericht/KonferenzbandBeitrag in einem Konferenzband


With the growing number of embedded devices deployed in safety- and privacy-sensitive applications, such as in the automotive area or in the IoT, the hardening of these systems against attacks is getting essential. As these devices are physically accessible by an adversary, fault attacks are frequently used to hijack the control-flow of the executed program and bypass security defenses such as secure boot, gain arbitrary code execution, or retrieve sensitive information. To protect the control-flow from this threat, control-flow integrity (CFI) aims to be an effective and generic countermeasure.

Although CFI aims to mitigate fault induced control-flow hijacking attacks, state-of-the-art CFI schemes do not protect addresses, allowing an attacker to still hijack the control-flow of indirect branches. To counteract this threat and detect unwanted bit flips, data encoding schemes are frequently used to add redundancy to these addresses. However, software-based data encoding schemes yield large runtime overheads, making them hard to deploy on a larger scale. To reduce this performance overhead, related work typically introduces custom CPU changes, which are not feasible for off-the-shelf systems, leaving a broad range of devices unprotected. Hence, software-based address redundancy schemes for commodity devices are needed to thwart fault attacks on indirect branches.

In this paper, we utilize the ARM pointer authentication feature of recent ARM architectures to efficiently protect the target addresses of indirect calls. In addition to the address protection, we further enhance the state update function of existing CFI schemes to protect the link between indirect control-flow transfers. To demonstrate how these defense mechanisms improve the protection of state-of-the-art CFI countermeasures, we integrate our address encoding and linking strategy into a previously introduced CFI scheme. We further extend a LLVM-based toolchain to automatically thwart fault attacks on indirect branches without user interaction. Our analysis shows an negligible overhead of less than 2.34% on average for protecting target addresses of indirect branches and the link between indirect branches for SPEC2017.
Titel2021 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)
PublikationsstatusAngenommen/In Druck - Jul 2021
Veranstaltung2021 IEEE International Symposium on Hardware Oriented Security and Trust: HOST 2021 - Washington DC, USA / Vereinigte Staaten
Dauer: 12 Dez 202115 Dez 2021


Konferenz2021 IEEE International Symposium on Hardware Oriented Security and Trust
KurztitelHOST 2021
LandUSA / Vereinigte Staaten
OrtWashington DC


Untersuchen Sie die Forschungsthemen von „Protecting Indirect Branches against Fault Attacks using ARM Pointer Authentication“. Zusammen bilden sie einen einzigartigen Fingerprint.

Dieses zitieren