Pointer Authentication for Memory Protection: Stack Canaries and Beyond

Abstract

Memory corruption vulnerabilities, such as stack-based buffer overflows, continue to be a major threat for programs written in the C language. A widely deployed method for protecting against stack-based buffer overflows is to use stack canaries. However, the existing canary protection methods are vulnerable to memory disclosure. Moreover, with a significant increase in computing resources, they have also become vulnerable to brute-force attacks. Most existing implementations protect only the return address, leaving other variables in the function vulnerable to buffer overflow. Despite these shortcomings, these software-based stack protection methods incur significant performance overhead. The alternative, hardware-based defenses for stack, require drastic changes in underlying processor architecture.

ARM has introduced Pointer Authentication (PA) primitives in the ARMv8.3-A architecture. PA provides resistance against memory errors by authenticating pointers at low-cost. PA also provides the capability to authenticate non-pointer values.

In this work, we develop an LLVM compiler extension to detect buffer overflow attacks by using PA to generate and verify function-specific canaries. We use PA to generate keyed hashes on function entry, that are used as authenticated canaries and these hashes are verified on function exit. If the hash check fails, buffer overflow has occurred. Moreover, we protect all the buffers in a function using authenticated canaries. These authenticated canaries are chained together to detect overflow in any of the buffers. In our evaluation, we show that this approach provides resistance against brute-force attacks on canaries. Moreover, the hardware-based implementation of canary authentication has a negligible performance overhead, such that protecting all the buffers induces less than 1% overhead on SPEC CPU 2017 benchmarks.