Pointer Authentication on ARM (PAC)
Why PAC Exists
Return Oriented Programming is a software attack where the attacker corrupts the return address stored in the stack to point to somewhere else.
Pointer Authentication is a feature available for ARMv8.3-A and ARMv9.0-A (And later) Arm Pointer Authentication Code (PAC) architectures, to provide some protection against such attacks. A is generated from the value of a given pointer, and is used to verify pointers before using them.
If attackers attempt to modify such a pointer in memory they will also need to compute the right PAC signature for it. Using the ROP example, if the return address stored in the stack is signed and verified before returning to it, the attacker will not be able to control to program flow and an exception is raised.
The Core Idea
- When a pointer is created (a return address saved on the stack), the CPU generates a PAC using:
- The pointer value
- A secret key (only the CPU knows it)
- A “context” value (like a stack pointer, function ID, or arbitrary modifier)
- The PAC is stored inside the pointer itself.
- Later, when the pointer is used, the CPU re-checks the PAC. If the check fails, it leads to an exception.
Info on how a PAC is generated is found in the PAC note.