Protecting Indirect Branches against Fault Attacks using ARM Pointer Authentication

Pascal Nasahl*, Robert Schilling, Stefan Mangard

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review


With the growing number of embedded devices deployed in safety- and privacy-sensitive applications, such as in the automotive area or in the IoT, the hardening of these systems against attacks is getting essential. As these devices are physically accessible by an adversary, fault attacks are frequently used to hijack the control-flow of the executed program and bypass security defenses such as secure boot, gain arbitrary code execution, or retrieve sensitive information. To protect the control-flow from this threat, control-flow integrity (CFI) aims to be an effective and generic countermeasure.

Although CFI aims to mitigate fault induced control-flow hijacking attacks, state-of-the-art CFI schemes do not protect addresses, allowing an attacker to still hijack the control-flow of indirect branches. To counteract this threat and detect unwanted bit flips, data encoding schemes are frequently used to add redundancy to these addresses. However, software-based data encoding schemes yield large runtime overheads, making them hard to deploy on a larger scale. To reduce this performance overhead, related work typically introduces custom CPU changes, which are not feasible for off-the-shelf systems, leaving a broad range of devices unprotected. Hence, software-based address redundancy schemes for commodity devices are needed to thwart fault attacks on indirect branches.

In this paper, we utilize the ARM pointer authentication feature of recent ARM architectures to efficiently protect the target addresses of indirect calls. In addition to the address protection, we further enhance the state update function of existing CFI schemes to protect the link between indirect control-flow transfers. To demonstrate how these defense mechanisms improve the protection of state-of-the-art CFI countermeasures, we integrate our address encoding and linking strategy into a previously introduced CFI scheme. We further extend a LLVM-based toolchain to automatically thwart fault attacks on indirect branches without user interaction. Our analysis shows an negligible overhead of less than 2.34% on average for protecting target addresses of indirect branches and the link between indirect branches for SPEC2017.
Original languageEnglish
Title of host publication2021 IEEE International Symposium on Hardware Oriented Security and Trust (HOST)
Publication statusAccepted/In press - Jul 2021
Event2021 IEEE International Symposium on Hardware Oriented Security and Trust: HOST 2021 - Washington DC, United States
Duration: 12 Dec 202115 Dec 2021


Conference2021 IEEE International Symposium on Hardware Oriented Security and Trust
Abbreviated titleHOST 2021
Country/TerritoryUnited States
CityWashington DC
Internet address


Dive into the research topics of 'Protecting Indirect Branches against Fault Attacks using ARM Pointer Authentication'. Together they form a unique fingerprint.

Cite this