abi-aa icon indicating copy to clipboard operation
abi-aa copied to clipboard

Published 20 hours ago verified publisher icon ARM-software

[pauthabielf64] Consider documenting use of using x16/x17 for raw pointers

Open smithp35 opened this issue 2 years ago • 3 comments

https://reviews.llvm.org/D132386 [AArch64][PAC] Lower auth/resign into checked sequence. The resign sequence ends up with raw pointers temporarily in registers. If there is a context switch then these registers will be stored in memory somewhere. To protect against an attack that can read this memory an OS can sign registers on context switch, most likely with the generic key. However doing so for all registers would be expensive. If it can be documented that only a subset of the registers (x16/x17) in Darwin's case contain raw code pointers then only these registers need to be signed on context switch.

If this convention were documented then platforms could take advantage of it.

The pauthabielf64 is not the ideal place for this documentation as it is the ELF ABI, but it is the only one that exists right now. Raising as an issue for future consideration. There may be future PAuthABI documents or pauthabielf64 may have its scope widened.

smithp35 avatar Aug 25 '22 09:08 smithp35

How could the registers after a context switch be in unprotected memory unless the OS is completely broken by design? If an attacker can read/write the stored registers of all processes then you have already lost whether the pointers are signed or not. Note you can trivially strip the Pauth bits from any signed pointer so there is nothing special about a "raw" pointer.

It also seems a bad idea to reserve some registers for pointers since it means compilers would have to stop allocating those registers altogether.

Wilco1 avatar Aug 25 '22 10:08 Wilco1

I think that this is for re-signing intrinsics rather than general use. In the general case there won't be raw code pointers in registers.

I don't have the context over how broken the OS is. Best reference I have is https://github.com/apple/llvm-project/blob/a63a81bd9911f87a0b5dcd5bdd7ccdda7124af87/clang/docs/PointerAuthentication.rst#register-clobbering

smithp35 avatar Aug 25 '22 11:08 smithp35

I think that this is for re-signing intrinsics rather than general use. In the general case there won't be raw code pointers in registers.

I don't have the context over how broken the OS is. Best reference I have is https://github.com/apple/llvm-project/blob/a63a81bd9911f87a0b5dcd5bdd7ccdda7124af87/clang/docs/PointerAuthentication.rst#register-clobbering

smithp35 avatar Aug 25 '22 11:08 smithp35