Most attacks against software rely on subverting a program's control flow to execute malicious code. Control-flow integrity (CFI) refers to a set of security techniques that aim to limit a program's flow to its original execution path. In this talk we will explore the state-of-the-art in CFI mitigations on Arm-based systems, namely Pointer Authentication (PAuth) and Branch Target Identification (BTI). These are hardware-assisted mechanisms deployed in the latest System-On-Chip architectures, raising the bar against software exploitation.
We will begin with an overview of the attack vectors that motivated the development of these mitigations. Next, we will dive into the implementation details, examining Arm's additions to the instruction set and system registers. We will complement this discussion with an overview of compiler support, and provide some real-world examples of protected code. Moving on, we will evaluate the effectiveness of PAuth and BTI, using metrics like the likelihood of successful attacks, and the prevalence of gadgets. Finally, we will investigate the impact of deploying PAuth and BTI on system performance and code size, to provide a comprehensive evaluation.
