This is an archive of the discontinued LLVM Phabricator instance.

Differential D112941

[clang] Add support for the new pointer authentication builtins.
AbandonedPublic

Authored by ab on Nov 1 2021, 11:12 AM.

Details

Reviewers
rjmccall
ahatanak
bruno
pcc
apazos
kristof.beyls
t.p.northover
pbarrio
chill
danielkiss
psmith
Summary

Building on D90868, this defines the basic set of pointer authentication clang builtins (provided in a new header, ptrauth.h), with diagnostics and IRGen support.
The availability of the builtins is gated on a new flag -fptrauth-intrinsics, which is enabled by default by the driver for darwin arm64e.

Note that this only includes the basic intrinsics (matching D90868), and notably excludes ptrauth_sign_constant, and ptrauth_type_discriminator/ptrauth_string_discriminator, which need extra logic to be fully supported. If it helps, I can bring the header/sema support here so that we can review all builtins together, and do full IRGen later.

Diff Detail

Event Timeline

ab created this revision.Nov 1 2021, 11:12 AM
Herald added subscribers: dexonsmith, zzheng, dang, mgorny. · View Herald TranscriptNov 1 2021, 11:12 AM
ab requested review of this revision.Nov 1 2021, 11:12 AM
Harbormaster completed remote builds in B131770: Diff 383837.Nov 1 2021, 11:12 AM
ab added a parent revision: D90868: [IR] Define @llvm.ptrauth intrinsics..Nov 1 2021, 11:13 AM
tschuett added a subscriber: tschuett.Nov 1 2021, 11:37 AM
arichardson added a subscriber: arichardson.Nov 2 2021, 1:24 AM
apazos added inline comments.Nov 2 2021, 4:13 PM
clang/include/clang/Basic/DiagnosticSemaKinds.td
839

These two error types are confusing.
In which situation would err_ptrauth_disabled be printed?
With this patch, it is only supported with arm64e triple, all other targets it is unsupported.

apazos added a comment.Nov 2 2021, 4:14 PM

The plan to push support for ptrauth_sign_constant, and ptrauth_type_discriminator/ptrauth_string_discriminator in a separate patch is good.
This current patch is already big.

rjmccall added a comment.Nov 2 2021, 9:21 PM

Mostly LGTM, although I am not the most unbiased reviewer. :)

clang/include/clang/Basic/DiagnosticSemaKinds.td
839

We could probably just have one of these, yes.

clang/lib/Basic/Targets/AArch64.cpp
847

There's an LLVM constants header for this now, right?

tschuett added a comment.Nov 3 2021, 12:55 AM

The original ptrauth.h has the same comment style. Would doxygen style be an improvement?

ab updated this revision to Diff 384825.Nov 4 2021, 11:28 AM
ab marked 3 inline comments as done.

Simplify err_ptrauth_disabled diagnostic, rebase.

ab updated this revision to Diff 384827.Nov 4 2021, 11:29 AM
In D112941#3105297, @tschuett wrote:

The original ptrauth.h has the same comment style. Would doxygen style be an improvement?

Hmm, what do you have in mind? Markup for the builtin arguments/returns? The need for __ prefixes makes that a bit awkward, but I suppose that's not a big deal (and we do live with that for x86 intrins already)

clang/include/clang/Basic/DiagnosticSemaKinds.td
839

With this patch you'd get err_ptrauth_disabled with -target arm64e- -fno-ptrauth-intrinsics, instead of err_ptrauth_disabled_target with say -target x86_64. But yeah, I suppose we could live with only one of the two, with a less accurate message (either err_ptrauth_disabled_target renamed to err_ptrauth_disabled, or another more vague message altogether, say "pointer authentication is not supported")

This mostly removes the need for Sema::diagnosePointerAuthDisabled and TargetInfo::isPointerAuthSupported and lets us just rely on the individual langopts, which seems okay.

clang/lib/Basic/Targets/AArch64.cpp
847

Hmm, I don't think so, do you have something in mind? The AArch64 backend has helpers for this, but that's confined there. IR doesn't know anything about keys (for instance, the IR verifier doesn't have the same validation done here)

There's a related latent concern I have: currently, nothing prevents optimizations from moving ptrauth ops into global constant initializers, and since we don't support global initializers with process-specific keys (at least on darwin), we may need to expose this knowledge somehow (undoing this in the backend is not straightforward, but is an option).

Knowing which keys are used in what way would need to be triple-specific, though I guess that's not an obstacle.

tschuett added a comment.Nov 4 2021, 11:48 AM

The avxintrin.h header has more structured documentation.

Harbormaster completed remote builds in B132515: Diff 384827.Nov 4 2021, 1:40 PM
pcc mentioned this in D108479: [Clang] Add __builtin_addressof_nocfi.Nov 4 2021, 2:02 PM
kristof.beyls added inline comments.Nov 5 2021, 3:07 AM
clang/include/clang/Driver/Options.td
2865–2872

My impression is that generally for __builtin_XXX intrinsics, there are no compiler flags to make them available or remove their availability.
Is there a good reason why a command line option is needed for the __builtin_ptrauth intrinsics, but not (IIUC) for most or any other existing __builtin_XXX intrinsic?
If there is no good reason, it seems better to me to not have a command line option so there is better consistency across all __builtin_XXX intrinsics?

(after having read more of the patch): my impression has changed now that the f(no-)ptrauth-intrinsics flag rather selects whether the ptrauth intrinsics get lowered to PAuth hardware instructions, or to "regular" instructions emulating the behavior of authenticated pointers. If that is correct (and assuming it's a useful option to have), I would guess a different name for the command line option could be less misleading. As is, it suggests this selects whether ptrauth_ intrinsics are available or not. If instead, as I'm guessing above, this selects whether ptrauth_ intrinsics get lowered to PAuth instructions or not, maybe something like '-femulate-ptrauth' would describe the effect of the command line switch a bit better?

clang/lib/Headers/ptrauth.h
20–38

I think, but am not sure, that the decision of which keys are process independent and which ones are process-dependent is a software platform choice?
If so, maybe ptrauth_key_process_{in,}dependent_* should only get defined conditionally?
I'm not sure if any decisions have been taken already for e.g. linux, Android, other platforms.
If not, maybe this block of code should be surrounded by an ifdef that is enabled only when targeting Darwin?

tschuett added a comment.EditedNov 5 2021, 9:16 AM

If you look at the immintrin.h header, the access to many builtins is guarded by ifdefs.
#if defined(__SSSE3__)

The builtin __builtin_ia32_reduce_smin_d512 is useless on aarch64.

rjmccall added inline comments.Nov 5 2021, 11:02 PM
clang/include/clang/Driver/Options.td
2865–2872

The ptrauth features were implemented gradually, beginning with the intrinsics. Originally we needed a way to enable the intrinsics feature without relying on target information. We do still need a way to enable them without necessarily enabling automatic type/qualifier-based pointer authentication. I don't know if we need to be able to *disable* them when the target supports them; I agree that that would be a little strange.

If not, we could just enable the intrinsics whenever either the target says they're okay or software emulation (a separate, experimental feature) is enabled. The AArch64 target has a +pauth target feature. However, I don't know if -arch arm64e actually adds that feature on Apple targets. Also, the HasPAuth field in the clang TargetInfo does not appear to be properly initialized to false when +pauth *isn't* present; fortunately, that field never used.

I'm not sure if it would actually be okay to remove the -fptrauth-intrinsics driver option if we just enabled the intrinsics based on the target feature. That does feel cleaner, but unfortunately, we at Apple probably have explicit uses of the option that we'd have to clean up before we could remove the option. We could treat that as an Apple problem and keep it out of the open source tree, though, and maybe remove the option altogether someday.

Ahmed, thoughts?

clang/lib/Headers/ptrauth.h
20–38

Yes, in retrospect it was a bad idea to define these particular generic names. I believe Apple platforms no longer have "process-independent" keys. It should really just be (1) the concrete keys, (2) recommended default keys for code and data pointers, and then (3) the specific keys used in specific schemas. Beyond that, if people want a specific different key for some purpose, they should ask for it.

Unfortunately, there's already a fair amount of code using these names. We could deprecate the old names and point people towards the new names, though.

kristof.beyls added inline comments.Nov 8 2021, 1:20 AM
clang/lib/Headers/ptrauth.h
20–38

Thanks for those background insights!
I was thinking that maybe the keys that should be deprecated could be enabled only when targeting Apple platforms? I'm assuming here that most existing code using these only target Apple platforms; so making them available only when targeting Apple platforms could help with not letting the use of them spread further without impacting existing code much?

ab added inline comments.Nov 8 2021, 1:41 PM
clang/include/clang/Driver/Options.td
2865–2872

Hmm, I agree it would be strange to need to disable the intrinsics, but we do also gate the various higher-level qualifiers (and intrinsics) on ptrauth_intrinsics. So, in ptrauth.h (and in various users) the feature now really means "we're in a 'ptrauth-aware' environment". And it does make more sense to keep that separate from "we're running on a CPU that theoretically could support ptrauth". It comes down to what "ptrauth-aware" really means, and that's probably also an Apple problem, and all current users of ptrauth_intrinsics should use something like __arm64e__ instead.

That still means there's no equivalent for other targets and/or software emulation, but that seems okay: ptrauth.h already needs changes to be usable from anywhere other than arm64e (cf. the discussion about keys), and we can cross that bridge when we get there.

(One could argue that all the language-feature-specific qualifiers and intrinsics should be gated on the appropriate ptrauth_whatever feature, but the qualifiers are often used in precisely the glue/runtime code that doesn't build in the appropriate mode, so doesn't have the feature enabled.)

So, concretely, we could:

  • continue gating these plain intrinsics on ptrauth_intrinsics in ptrauth.h (IIRC there's an ACLE feature macro but it's specific to return address signing and BTI defaults; I'll check)
  • enable the feature when +pauth
  • replace all other uses of ptrauth_intrinsics with __arm64e__, in both ptrauth.h (gating the ABI qualifiers) and gradually in our internal codebases

and keep -fptrauth-intrinsics downstream for the transition (or, depending on how much the flag is really used, just keep the old behavior of enabling the feature for arm64e only; but yeah, that's my downstream problem)

clang/lib/Headers/ptrauth.h
20–38

Or we could keep these downstream as well, and deprecate them there directly.

Worth mentioning we'll have a similar problem with the "language-feature-specific" key enums and qualifiers (e.g., ptrauth_key_function_pointer): they're currently hardcoded in ptrauth.h with the arm64e values. I was thinking maybe they should be defined by the frontend and exposed to ptrauth.h through macros (and/or builtin types, or something else), so that the single source of truth is the frontend logic that decides which schemas are used where. But that's a problem for another day.

So, concretely:

  • remove these 4 key aliases (and transition them downstream, yadda yadda)
  • gate the later key aliases (that describe the language ABI schemas) on __arm64e__
  • figure out some more complicated way of defining these, as needed, for other targets
bruno added a comment.Nov 9 2021, 12:00 AM

Thanks for working on upstreaming this @ab. Overall looks good to me, I see clang-format issues, are those legit? One more comment inline.

clang/include/clang/Driver/Options.td
2865–2872

I'd vote for keeping as is: -fptrauth-intrinsics allows a nice limited use of the pauth feature pack. Has actually been useful for us (non-Apple targets) in code that needs signing capabilities but not want itself to be codegen'd using pauth - e.g. a dynamic linker for a system that is migrating codebase to pauth in small steps.

ptrauth_intrinsics gates have been equally useful. By doing this downstream we would need to duplicate this logic as well, so I don't really it benefiting the community as much.

Enabling the feature when +pauth sounds like overall goodness regardless imo.

kristof.beyls added inline comments.Nov 10 2021, 12:28 AM
clang/include/clang/Driver/Options.td
2865–2872

Thanks for sharing your experience @bruno .
I have to confess I do not fully understand "code that needs signing capabilities but not want itself to be codegen'd using pauth." I'm assuming this means "the ptrauth intrinsics must be available, but the compiler must not automatically insert pointer signing/authenticating instructions"?

If I understand that correctly, I'm still wondering if it's useful to have a command line switch that removes ptrauth intrinsics, rather than relying on ptrauth.h having the appropriate ifdefs to remove intrinsics when targeting something where they cannot work?

With the above, I guess "-f(no)ptrauth-intrinsics" then actually means "let the compiler automatically insert signing/authenticating instructions as defined by the default signing scheme for the target triple you're targeting"?

Maybe my confusion would be less if this patch also adds documentation for the command line switch.
I'm not sure where that documentation would best live. Maybe at https://clang.llvm.org/docs/UsersManual.html#command-line-options?

bruno added inline comments.Nov 18 2021, 6:26 PM
clang/include/clang/Driver/Options.td
2865–2872

I have to confess I do not fully understand "code that needs signing capabilities but not want itself to be codegen'd using pauth." I'm assuming this means "the ptrauth intrinsics must be available, but the compiler must not automatically insert pointer signing/authenticating instructions"?

Exactly, I'd like to see such instructions only being emitted via intrinsic usage.

If I understand that correctly, I'm still wondering if it's useful to have a command line switch that removes ptrauth intrinsics, rather than relying on ptrauth.h having the appropriate ifdefs to remove intrinsics when targeting something where they cannot work?

I think the -fnoptrauth-intrinsics is useful in practice, it provides quick workarounds when trying to untangle bugs in production, the "cancel previous added flag" behavior. I do not see a semantic meaning of its existence though.

With the above, I guess "-f(no)ptrauth-intrinsics" then actually means "let the compiler automatically insert signing/authenticating instructions as defined by the default signing scheme for the target triple you're targeting"?

We should also be able to use the intrinsics regardless of the target triple setup (and error out at driver time in case the instructions aren't supported by the backend).

The problem is that I might still need to disable automatically codegen of those instructions, but be able to use intrinsics to control their usage. Would there be another combination of driver flags to that effect?

Maybe my confusion would be less if this patch also adds documentation for the command line switch. I'm not sure where that documentation would best live. Maybe at https://clang.llvm.org/docs/UsersManual.html#command-line-options?

Agreed!

ab updated this revision to Diff 556443.Sep 11 2023, 9:41 AM

Added the relevant bits of the great documentation John wrote in clang/docs/PointerAuthentication.rst. I tried to trim it down to only the general principles and the intrinsics; some of the discussion around the security model is a little ahead of the rest of the changes, but is still seems fine with these initial changes.

Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptSep 11 2023, 9:41 AM
Herald added subscribers: llvm-commits, wangpc, MaskRay. · View Herald Transcript
Harbormaster completed remote builds in B256983: Diff 556443.Sep 11 2023, 9:42 AM
ab abandoned this revision.Sep 11 2023, 11:54 AM

This went through so many rebases that the incremental diff is not very helpful ;) Let's start over on github: https://github.com/llvm/llvm-project/pull/65996

Revision Contents

PathSize
c/
clang/
docs/
5 lines
include/
clang/
Basic/
8 lines
1 line
16 lines
1 line
2 lines
6 lines
Driver/
8 lines
Sema/
2 lines
lib/
Basic/
4 lines
4 lines
Targets/
2 lines
6 lines
CodeGen/
67 lines
Driver/
ToolChains/
5 lines
4 lines
14 lines
Frontend/
13 lines
Headers/
1 line
5 lines
Sema/
186 lines
llvm/
docs/
3 lines
clang/
docs/
559 lines
lib/
Headers/
167 lines
test/
CodeGen/
73 lines
Driver/
22 lines
Modules/
Inputs/
ptrauth-include-from-darwin/
8 lines
1 line
1 line
6 lines
Preprocessor/
10 lines
Sema/
34 lines
126 lines

Diff 556443

clang/docs/LanguageExtensions.rst

Context not available.
BlockLanguageSpec BlockLanguageSpec
Block-ABI-Apple Block-ABI-Apple
AutomaticReferenceCounting AutomaticReferenceCounting
PointerAuthentication
MatrixTypes MatrixTypes
Introduction Introduction
Context not available.
like simple arithmetic may be reordered around the intrinsic. If you expect to like simple arithmetic may be reordered around the intrinsic. If you expect to
have no reordering at all, use inline assembly instead. have no reordering at all, use inline assembly instead.
Pointer Authentication
^^^^^^^^^^^^^^^^^^^^^^
See :doc:`PointerAuthentication`.
X86/X86-64 Language Extensions X86/X86-64 Language Extensions
------------------------------ ------------------------------
Context not available.

clang/docs/PointerAuthentication.rst

  • This file was added.
Pointer Authentication
======================
.. contents::
:local:
Introduction
------------
Pointer authentication is a technology which offers strong probabilistic protection against exploiting a broad class of memory bugs to take control of program execution. When adopted consistently in a language ABI, it provides a form of relatively fine-grained control flow integrity (CFI) check that resists both return-oriented programming (ROP) and jump-oriented programming (JOP) attacks.
While pointer authentication can be implemented purely in software, direct hardware support (e.g. as provided by ARMv8.3) can dramatically lower the execution speed and code size costs. Similarly, while pointer authentication can be implemented on any architecture, taking advantage of the (typically) excess addressing range of a target with 64-bit pointers minimizes the impact on memory performance and can allow interoperation with existing code (by disabling pointer authentication dynamically). This document will generally attempt to present the pointer authentication feature independent of any hardware implementation or ABI. Considerations that are implementation-specific are clearly identified throughout.
Note that there are several different terms in use:
- **Pointer authentication** is a target-independent language technology.
- **ARMv8.3** is an AArch64 architecture revision of that provides hardware support for pointer authentication. It is implemented on several shipping processors, including the Apple A12 and later.
* **arm64e** is a specific ABI for (not yet fully stable) for implementing pointer authentication on ARMv8.3 on certain Apple operating systems.
This document serves four purposes:
- It describes the basic ideas of pointer authentication.
- It documents several language extensions that are useful on targets using pointer authentication.
- It presents a theory of operation for the security mitigation, describing the basic requirements for correctness, various weaknesses in the mechanism, and ways in which programmers can strengthen its protections (including recommendations for language implementors).
- It will eventually document the language ABIs currently used for C, C++, Objective-C, and Swift on arm64e, although these are not yet stable on any target.
Basic Concepts
--------------
The simple address of an object or function is a **raw pointer**. A raw pointer can be **signed** to produce a **signed pointer**. A signed pointer can be then **authenticated** in order to verify that it was **validly signed** and extract the original raw pointer. These terms reflect the most likely implementation technique: computing and storing a cryptographic signature along with the pointer. The security of pointer authentication does not rely on attackers not being able to separately overwrite the signature.
An **abstract signing key** is a name which refers to a secret key which can used to sign and authenticate pointers. The key value for a particular name is consistent throughout a process.
A **discriminator** is an arbitrary value used to **diversify** signed pointers so that one validly-signed pointer cannot simply be copied over another. A discriminator is simply opaque data of some implementation-defined size that is included in the signature as a salt.
Nearly all aspects of pointer authentication use just these two primary operations:
- ``sign(raw_pointer, key, discriminator)`` produces a signed pointer given a raw pointer, an abstract signing key, and a discriminator.
- ``auth(signed_pointer, key, discriminator)`` produces a raw pointer given a signed pointer, an abstract signing key, and a discriminator.
``auth(sign(raw_pointer, key, discriminator), key, discriminator)`` must succeed and produce ``raw_pointer``. ``auth`` applied to a value that was ultimately produced in any other way is expected to immediately halt the program. However, it is permitted for ``auth`` to fail to detect that a signed pointer was not produced in this way, in which case it may return anything; this is what makes pointer authentication a probabilistic mitigation rather than a perfect one.
There are two secondary operations which are required only to implement certain intrinsics in ``<ptrauth.h>``:
- ``strip(signed_pointer, key)`` produces a raw pointer given a signed pointer and a key it was presumptively signed with. This is useful for certain kinds of tooling, such as crash backtraces; it should generally not be used in the basic language ABI except in very careful ways.
- ``sign_generic(value)`` produces a cryptographic signature for arbitrary data, not necessarily a pointer. This is useful for efficiently verifying that non-pointer data has not been tampered with.
Whenever any of these operations is called for, the key value must be known statically. This is because the layout of a signed pointer may vary according to the signing key. (For example, in ARMv8.3, the layout of a signed pointer depends on whether TBI is enabled, which can be set independently for code and data pointers.)
.. admonition:: Note for API designers and language implementors
These are the *primitive* operations of pointer authentication, provided for clarity of description. They are not suitable either as high-level interfaces or as primitives in a compiler IR because they expose raw pointers. Raw pointers require special attention in the language implementation to avoid the accidental creation of exploitable code sequences; see the section on `Attackable code sequences`_.
The following details are all implementation-defined:
- the nature of a signed pointer
- the size of a discriminator
- the number and nature of the signing keys
- the implementation of the ``sign``, ``auth``, ``strip``, and ``sign_generic`` operations
While the use of the terms "sign" and "signed pointer" suggest the use of a cryptographic signature, other implementations may be possible. See `Alternative implementations`_ for an exploration of implementation options.
.. admonition:: Implementation example: ARMv8.3
Readers may find it helpful to know how these terms map to ARMv8.3:
- A signed pointer is a pointer with a signature stored in the otherwise-unused high bits. The kernel configures the signature width based on the system's addressing needs, accounting for whether the AArch64 TBI feature is enabled for the kind of pointer (code or data).
- A discriminator is a 64-bit integer. Constant discriminators are 16-bit integers. Blending a constant discriminator into an address consists of replacing the top 16 bits of the address with the constant.
- There are five 128-bit signing-key registers, each of which can only be directly read or set by privileged code. Of these, four are used for signing pointers, and the fifth is used only for ``sign_generic``. The key data is simply a pepper added to the hash, not an encryption key, and so can be initialized using random data.
- ``sign`` computes a cryptographic hash of the pointer, discriminator, and signing key, and stores it in the high bits as the signature. ``auth`` removes the signature, computes the same hash, and compares the result with the stored signature. ``strip`` removes the signature without authenticating it. While ARMv8.3's ``aut*`` instructions do not themselves trap on failure, the compiler only ever emits them in sequences that will trap.
- ``sign_generic`` corresponds to the ``pacga`` instruction, which takes two 64-bit values and produces a 64-bit cryptographic hash. Implementations of this instruction may not produce meaningful data in all bits of the result.
Discriminators
~~~~~~~~~~~~~~
A discriminator is arbitrary extra data which alters the signature on a pointer. When two pointers are signed differently --- either with different keys or with different discriminators --- an attacker cannot simply replace one pointer with the other. For more information on why discriminators are important and how to use them effectively, see the section on `Substitution attacks`_.
To use standard cryptographic terminology, a discriminator acts as a salt in the signing of a pointer, and the key data acts as a pepper. That is, both the discriminator and key data are ultimately just added as inputs to the signing algorithm along with the pointer, but they serve significantly different roles. The key data is a common secret added to every signature, whereas the discriminator is a signing-specific value that can be derived from the circumstances of how a pointer is signed. However, unlike a password salt, it's important that discriminators be *independently* derived from the circumstances of the signing; they should never simply be stored alongside a pointer.
The intrinsic interface in ``<ptrauth.h>`` allows an arbitrary discriminator value to be provided, but can only be used when running normal code. The discriminators used by language ABIs must be restricted to make it feasible for the loader to sign pointers stored in global memory without needing excessive amounts of metadata. Under these restrictions, a discriminator may consist of either or both of the following:
- The address at which the pointer is stored in memory. A pointer signed with a discriminator which incorporates its storage address is said to have **address diversity**. In general, using address diversity means that a pointer cannot be reliably replaced by an attacker or used to reliably replace a different pointer. However, an attacker may still be able to attack a larger call sequence if they can alter the address through which the pointer is accessed. Furthermore, some situations cannot use address diversity because of language or other restrictions.
- A constant integer, called a **constant discriminator**. A pointer signed with a non-zero constant discriminator is said to have **constant diversity**. If the discriminator is specific to a single declaration, it is said to have **declaration diversity**; if the discriminator is specific to a type of value, it is said to have **type diversity**. For example, C++ v-tables on arm64e sign their component functions using a hash of their method names and signatures, which provides declaration diversity; similarly, C++ member function pointers sign their invocation functions using a hash of the member pointer type, which provides type diversity.
The implementation may need to restrict constant discriminators to be significantly smaller than the full size of a discriminator. For example, on arm64e, constant discriminators are only 16-bit values. This is believed to not significantly weaken the mitigation, since collisions remain uncommon.
The algorithm for blending a constant discriminator with a storage address is implementation-defined.
.. _Signing schemas:
Signing schemas
~~~~~~~~~~~~~~~
Correct use of pointer authentication requires the signing code and the authenticating code to agree about the **signing schema** for the pointer:
- the abstract signing key with which the pointer should be signed and
- an algorithm for computing the discriminator.
As described in the section above on `Discriminators`_, in most situations, the discriminator is produced by taking a constant discriminator and optionally blending it with the storage address of the pointer. In these situations, the signing schema breaks down even more simply:
- the abstract signing key,
- a constant discriminator, and
- whether to use address diversity.
It is important that the signing schema be independently derived at all signing and authentication sites. Preferably, the schema should be hard-coded everywhere it is needed, but at the very least, it must not be derived by inspecting information stored along with the pointer. See the section on `Attacks on pointer authentication`_ for more information.
Language Features
-----------------
There is currently one main pointer authentication language feature:
- The language provides the ``<ptrauth.h>`` intrinsic interface for manually signing and authenticating pointers in code. These can be used in circumstances where very specific behavior is required.
Language extensions
~~~~~~~~~~~~~~~~~~~
Feature testing
^^^^^^^^^^^^^^^
Whether the current target uses pointer authentication can be tested for with a number of different tests.
- ``__has_feature(ptrauth_intrinsics)`` is true if ``<ptrauth.h>`` provides its normal interface. This may be true even on targets where pointer authentication is not enabled by default.
``<ptrauth.h>``
~~~~~~~~~~~~~~~
This header defines the following types and operations:
``ptrauth_key``
^^^^^^^^^^^^^^^
This ``enum`` is the type of abstract signing keys. In addition to defining the set of implementation-specific signing keys (for example, ARMv8.3 defines ``ptrauth_key_asia``), it also defines some portable aliases for those keys. For example, ``ptrauth_key_function_pointer`` is the key generally used for C function pointers, which will generally be suitable for other function-signing schemas.
In all the operation descriptions below, key values must be constant values corresponding to one of the implementation-specific abstract signing keys from this ``enum``.
``ptrauth_extra_data_t``
^^^^^^^^^^^^^^^^^^^^^^^^
This is a ``typedef`` of a standard integer type of the correct size to hold a discriminator value.
In the signing and authentication operation descriptions below, discriminator values must have either pointer type or integer type. If the discriminator is an integer, it will be coerced to ``ptrauth_extra_data_t``.
``ptrauth_blend_discriminator``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: c
ptrauth_blend_discriminator(pointer, integer)
Produce a discriminator value which blends information from the given pointer and the given integer.
Implementations may ignore some bits from each value, which is to say, the blending algorithm may be chosen for speed and convenience over theoretical strength as a hash-combining algorithm. For example, arm64e simply overwrites the high 16 bits of the pointer with the low 16 bits of the integer, which can be done in a single instruction with an immediate integer.
``pointer`` must have pointer type, and ``integer`` must have integer type. The result has type ``ptrauth_extra_data_t``.
``ptrauth_string_discriminator``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: c
ptrauth_string_discriminator(string)
Produce a discriminator value for the given string. ``string`` must be a string literal of ``char`` character type. The result has type ``ptrauth_extra_data_t``.
The result is always a constant expression. The result value is never zero and always within range for both the ``__ptrauth`` qualifier and ``ptrauth_blend_discriminator``.
``ptrauth_strip``
^^^^^^^^^^^^^^^^^
.. code-block:: c
ptrauth_strip(signedPointer, key)
Given that ``signedPointer`` matches the layout for signed pointers signed with the given key, extract the raw pointer from it. This operation does not trap and cannot fail, even if the pointer is not validly signed.
``ptrauth_sign_unauthenticated``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: c
ptrauth_sign_unauthenticated(pointer, key, discriminator)
Produce a signed pointer for the given raw pointer without applying any authentication or extra treatment. This operation is not required to have the same behavior on a null pointer that the language implementation would.
This is a treacherous operation that can easily result in `signing oracles`_. Programs should use it seldom and carefully.
``ptrauth_auth_and_resign``
^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: c
ptrauth_auth_and_resign(pointer, oldKey, oldDiscriminator, newKey, newDiscriminator)
Authenticate that ``pointer`` is signed with ``oldKey`` and ``oldDiscriminator`` and then resign the raw-pointer result of that authentication with ``newKey`` and ``newDiscriminator``.
``pointer`` must have pointer type. The result will have the same type as ``pointer``. This operation is not required to have the same behavior on a null pointer that the language implementation would.
The code sequence produced for this operation must not be directly attackable. However, if the discriminator values are not constant integers, their computations may still be attackable. In the future, Clang should be enhanced to guaranteed non-attackability if these expressions are :ref:`safely-derived<Safe derivation>`.
``ptrauth_auth_data``
^^^^^^^^^^^^^^^^^^^^^
.. code-block:: c
ptrauth_auth_data(pointer, key, discriminator)
Authenticate that ``pointer`` is signed with ``key`` and ``discriminator`` and remove the signature.
``pointer`` must have object pointer type. The result will have the same type as ``pointer``. This operation is not required to have the same behavior on a null pointer that the language implementation would.
In the future when Clang makes `safe derivation`_ guarantees, the result of this operation should be considered safely-derived.
``ptrauth_sign_generic_data``
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. code-block:: c
ptrauth_sign_generic_data(value1, value2)
Computes a signature for the given pair of values, incorporating a secret signing key.
This operation can be used to verify that arbitrary data has not be tampered with by computing a signature for the data, storing that signature, and then repeating this process and verifying that it yields the same result. This can be reasonably done in any number of ways; for example, a library could compute an ordinary checksum of the data and just sign the result in order to get the tamper-resistance advantages of the secret signing key (since otherwise an attacker could reliably overwrite both the data and the checksum).
``value1`` and ``value2`` must be either pointers or integers. If the integers are larger than ``uintptr_t`` then data not representable in ``uintptr_t`` may be discarded.
The result will have type ``ptrauth_generic_signature_t``, which is an integer type. Implementations are not required to make all bits of the result equally significant; in particular, some implementations are known to not leave meaningful data in the low bits.
Theory of Operation
-------------------
The threat model of pointer authentication is as follows:
- The attacker has the ability to read and write to a certain range of addresses, possibly the entire address space. However, they are constrained by the normal rules of the process: for example, they cannot write to memory that is mapped read-only, and if they access unmapped memory it will trigger a trap.
- The attacker has no ability to add arbitrary executable code to the program. For example, the program does not include malicious code to begin with, and the attacker cannot alter existing instructions, load a malicious shared library, or remap writable pages as executable. If the attacker wants to get the process to perform a specific sequence of actions, they must somehow subvert the normal control flow of the process.
In both of the above paragraphs, it is merely assumed that the attacker's *current* capabilities are restricted; that is, their current exploit does not directly give them the power to do these things. The attacker's immediate goal may well be to leverage their exploit to gain these capabilities, e.g. to load a malicious dynamic library into the process, even though the process does not directly contain code to do so.
Note that any bug that fits the above threat model can be immediately exploited as a denial-of-service attack by simply performing an illegal access and crashing the program. Pointer authentication cannot protect against this. While denial-of-service attacks are unfortunate, they are also unquestionably the best possible result of a bug this severe. Therefore, pointer authentication enthusiastically embraces the idea of halting the program on a pointer authentication failure rather than continuing in a possibly-compromised state.
Pointer authentication is a form of control-flow integrity (CFI) enforcement. The basic security hypothesis behind CFI enforcement is that many bugs can only be usefully exploited (other than as a denial-of-service) by leveraging them to subvert the control flow of the program. If this is true, then by inhibiting or limiting that subversion, it may be possible to largely mitigate the security consequences of those bugs by rendering them impractical (or, ideally, impossible) to exploit.
Every indirect branch in a program has a purpose. Using human intelligence, a programmer can describe where a particular branch *should* go according to this purpose: a ``return`` in ``printf`` should return to the call site, a particular call in ``qsort`` should call the comparator that was passed in as an argument, and so on. But for CFI to enforce that every branch in a program goes where it *should* in this sense would require CFI to perfectly enforce every semantic rule of the program's abstract machine; that is, it would require making the programming environment perfectly sound. That is out of scope. Instead, the goal of CFI is merely to catch attempts to make a branch go somewhere that its obviously *shouldn't* for its purpose: for example, to stop a call from branching into the middle of a function rather than its beginning. As the information available to CFI gets better about the purpose of the branch, CFI can enforce tighter and tighter restrictions on where the branch is permitted to go. Still, ultimately CFI cannot make the program sound. This may help explain why pointer authentication makes some of the choices it does: for example, to sign and authenticate mostly code pointers rather than every pointer in the program. Preventing attackers from redirecting branches is both particularly important and particularly approachable as a goal. Detecting corruption more broadly is infeasible with these techniques, and the attempt would have far higher cost.
Attacks on pointer authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pointer authentication works as follows. Every indirect branch in a program has a purpose. For every purpose, the implementation chooses a :ref:`signing schema<Signing schemas>`. At some place where a pointer is known to be correct for its purpose, it is signed according to the purpose's schema. At every place where the pointer is needed for its purpose, it is authenticated according to the purpose's schema. If that authentication fails, the program is halted.
There are a variety of ways to attack this.
Attacks of interest to programmers
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
These attacks arise from weaknesses in the default protections offered by pointer authentication. They can be addressed by using attributes or intrinsics to opt in to stronger protection.
Substitution attacks
++++++++++++++++++++
An attacker can simply overwrite a pointer intended for one purpose with a pointer intended for another purpose if both purposes use the same signing schema and that schema does not use address diversity.
The most common source of this weakness is when code relies on using the default language rules for C function pointers. The current implementation uses the exact same signing schema for all C function pointers, even for functions of substantially different type. While efforts are ongoing to improve constant diversity for C function pointers of different type, there are necessary limits to this. The C standard requires function pointers to be copyable with ``memcpy``, which means that function pointers can never use address diversity. Furthermore, even if a function pointer can only be replaced with another function of the exact same type, that can still be useful to an attacker, as in the following example of a hand-rolled "v-table":
.. code-block:: c
struct ObjectOperations {
void (*retain)(Object *);
void (*release)(Object *);
void (*deallocate)(Object *);
void (*logStatus)(Object *);
};
This weakness can be mitigated by using a more specific signing schema for each purpose. For example, in this example, the ``__ptrauth`` qualifier can be used with a different constant discriminator for each field. Since there's no particular reason it's important for this v-table to be copyable with ``memcpy``, the functions can also be signed with address diversity:
.. code-block:: c
#if __has_feature(ptrauth_calls)
#define objectOperation(discriminator) \
__ptrauth(ptrauth_key_function_pointer, 1, discriminator)
#else
#define objectOperation(discriminator)
#endif
struct ObjectOperations {
void (*objectOperation(0xf017) retain)(Object *);
void (*objectOperation(0x2639) release)(Object *);
void (*objectOperation(0x8bb0) deallocate)(Object *);
void (*objectOperation(0xc5d4) logStatus)(Object *);
};
This weakness can also sometimes be mitigated by simply keeping the signed pointer in constant memory, but this is less effective than using better signing diversity.
.. _Access path attacks:
Access path attacks
+++++++++++++++++++
If a signed pointer is often accessed indirectly (that is, by first loading the address of the object where the signed pointer is stored), an attacker can affect uses of it by overwriting the intermediate pointer in the access path.
The most common scenario exhibiting this weakness is an object with a pointer to a "v-table" (a structure holding many function pointers). An attacker does not need to replace a signed function pointer in the v-table if they can instead simply replace the v-table pointer in the object with their own pointer --- perhaps to memory where they've constructed their own v-table, or to existing memory that coincidentally happens to contain a signed pointer at the right offset that's been signed with the right signing schema.
This attack arises because data pointers are not signed by default. It works even if the signed pointer uses address diversity: address diversity merely means that each pointer is signed with its own storage address, which (by design) is invariant to changes in the accessing pointer.
Using sufficiently diverse signing schemas within the v-table can provide reasonably strong mitigation against this weakness. Always use address diversity in v-tables to prevent attackers from assembling their own v-table. Avoid re-using constant discriminators to prevent attackers from replacing a v-table pointer with a pointer to totally unrelated memory that just happens to contain an similarly-signed pointer.
Further mitigation can be attained by signing pointers to v-tables. Any signature at all should prevent attackers from forging v-table pointers; they will need to somehow harvest an existing signed pointer from elsewhere in memory. Using a meaningful constant discriminator will force this to be harvested from an object with similar structure (e.g. a different implementation of the same interface). Using address diversity will prevent such harvesting entirely. However, care must be taken when sourcing the v-table pointer originally; do not blindly sign a pointer that is not :ref:`safely derived<Safe derivation>`.
.. _Signing oracles:
Signing oracles
+++++++++++++++
A signing oracle is a bit of code which can be exploited by an attacker to sign an arbitrary pointer in a way that can later be recovered. Such oracles can be used by attackers to forge signatures matching the oracle's signing schema, which is likely to cause a total compromise of pointer authentication's effectiveness.
This attack only affects ordinary programmers if they are using certain treacherous patterns of code. Currently this includes:
- all uses of the ``__ptrauth_sign_unauthenticated`` intrinsic and
- assigning data pointers to ``__ptrauth``-qualified l-values.
Care must be taken in these situations to ensure that the pointer being signed has been :ref:`safely derived<Safe derivation>` or is otherwise not possible to attack. (In some cases, this may be challenging without compiler support.)
A diagnostic will be added in the future for implicitly dangerous patterns of code, such as assigning a non-safely-derived data pointer to a ``__ptrauth``-qualified l-value.
.. _Authentication oracles:
Authentication oracles
++++++++++++++++++++++
An authentication oracle is a bit of code which can be exploited by an attacker to leak whether a signed pointer is validly signed without halting the program if it isn't. Such oracles can be used to forge signatures matching the oracle's signing schema if the attacker can repeatedly invoke the oracle for different candidate signed pointers. This is likely to cause a total compromise of pointer authentication's effectiveness.
There should be no way for an ordinary programmer to create an authentication oracle using the current set of operations. However, implementation flaws in the past have occasionally given rise to authentication oracles due to a failure to immediately trap on authentication failure.
The likelihood of creating an authentication oracle is why there is currently no intrinsic which queries whether a signed pointer is validly signed.
Attacks of interest to implementors
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
These attacks are not inherent to the model; they arise from mistakes in either implementing or using the `sign` and `auth` operations. Avoiding these mistakes requires careful work throughout the system.
Failure to trap on authentication failure
+++++++++++++++++++++++++++++++++++++++++
Any failure to halt the program on an authentication failure is likely to be exploitable by attackers to create an :ref:`authentication oracle<Authentication oracles>`.
There are several different ways to introduce this problem:
- The implementation might try to halt the program in some way that can be intercepted.
For example, the ``auth`` instruction in ARMv8.3 does not directly trap; instead it corrupts its result so that it is always an invalid pointer. If the program subsequently attempts to use that pointer, that will be a bad memory access, and it will trap into the kernel. However, kernels do not usually immediately halt programs that trigger traps due to bad memory accesses; instead they notify the process to give it an opportunity to recover. If this happens with an ``auth`` failure, the attacker may be able to exploit the recovery path in a way that creates an oracle. Kernels should ensure that these sorts of traps are not recoverable.
- A compiler might use an intermediate representation (IR) for ``sign`` and ``auth`` operations that cannot make adequate correctness guarantees.
For example, suppose that an IR uses ARMv8.3-like semantics for ``auth``: the operation merely corrupts its result on failure instead of promising the trap. A frontend might emit patterns of IR that always follow an ``auth`` with a memory access, thinking that this ensures correctness. But if the IR can be transformed to insert code between the ``auth`` and the access, or if the ``auth`` can be speculated, then this potentially creates an oracle. It is better for ``auth`` to semantically guarantee to trap, potentially requiring an explicit check in the generated code. An ARMv8.3-like target can avoid this explicit check in the common case by recognizing the pattern of an ``auth`` followed immediately by an access.
Attackable code sequences
+++++++++++++++++++++++++
If code that is part of a pointer authentication operation is interleaved with code that may itself be vulnerable to attacks, an attacker may be able to use this to create a :ref:`signing<Signing oracles>` or :ref:`authentication<Authentication oracles>` oracle.
For example, suppose that the compiler is generating a call to a function and passing two arguments: a signed constant pointer and a value derived from a call. In ARMv8.3, this code might look like so:
.. code-block:: asm
adr x19, _callback. ; compute &_callback
paciza x19 ; sign it with a constant discriminator of 0
blr _argGenerator ; call _argGenerator() (returns in x0)
mov x1, x0 ; move call result to second arg register
mov x0, x19 ; move signed &_callback to first arg register
blr _function ; call _function
This code is correct, as would be a sequencing that does *both* the ``adr`` and the ``paciza`` after the call to ``_argGenerator``. But a sequence that computes the address of ``_callback`` but leaves it as a raw pointer in a register during the call to ``_argGenerator`` would be vulnerable:
.. code-block:: asm
adr x19, _callback. ; compute &_callback
blr _argGenerator ; call _argGenerator() (returns in x0)
mov x1, x0 ; move call result to second arg register
paciza x19 ; sign &_callback
mov x0, x19 ; move signed &_callback to first arg register
blr _function ; call _function
If ``_argGenerator`` spills ``x19`` (a callee-save register), and if the attacker can perform a write during this call, then the attacker can overwrite the spill slot with an arbitrary pointer that will eventually be unconditionally signed after the function returns. This would be a signing oracle.
The implementation can avoid this by obeying two basic rules:
- The compiler's intermediate representations (IR) should not provide operations that expose intermediate raw pointers. This may require providing extra operations that perform useful combinations of operations.
For example, there should be an "atomic" auth-and-resign operation that should be used instead of emitting an ``auth`` operation whose result is fed into a ``sign``.
Similarly, if a pointer should be authenticated as part of doing a memory access or a call, then the access or call should be decorated with enough information to perform the authentication; there should not be a separate ``auth`` whose result is used as the pointer operand for the access or call. (In LLVM IR, we do this for calls, but not yet for loads or stores.)
"Operations" includes things like materializing a signed pointer to a known function or global variable. The compiler must be able to recognize and emit this as a unified operation, rather than potentially splitting it up as in the example above.
- The compiler backend should not be too aggressive about scheduling instructions that are part of a pointer authentication operation. This may require custom code-generation of these operations in some cases.
Register clobbering
+++++++++++++++++++
As a refinement of the section on `Attackable code sequences`_, if the attacker has the ability to modify arbitrary *register* state at arbitrary points in the program, then special care must be taken.
For example, ARMv8.3 might materialize a signed function pointer like so:
.. code-block:: asm
adr x0, _callback. ; compute &_callback
paciza x0 ; sign it with a constant discriminator of 0
If an attacker has the ability to overwrite ``x0`` between these two instructions, this code sequence is vulnerable to becoming a signing oracle.
For the most part, this sort of attack is not possible: it is a basic element of the design of modern computation that register state is private and inviolable. However, in systems that support asynchronous interrupts, this property requires the cooperation of the interrupt-handling code. If that code saves register state to memory, and that memory can be overwritten by an attacker, then essentially the attack can overwrite arbitrary register state at an arbitrary point. This could be a concern if the threat model includes attacks on the kernel or if the program uses user-space preemptive multitasking.
(Readers might object that an attacker cannot rely on asynchronous interrupts triggering at an exact instruction boundary. In fact, researchers have had some success in doing exactly that. Even ignoring that, though, we should aim to protect against lucky attackers just as much as good ones.)
To protect against this, saved register state must be at least partially signed (using something like `ptrauth_sign_generic_data`_). This is required for correctness anyway because saved thread states include security-critical registers such as SP, FP, PC, and LR (where applicable). Ideally, this signature would cover all the registers, but since saving and restoring registers can be very performance-sensitive, that may not be acceptable. It is sufficient to set aside a small number of scratch registers that will be guaranteed to be preserved correctly; the compiler can then be careful to only store critical values like intermediate raw pointers in those registers.
``setjmp`` and ``longjmp`` should sign and authenticate the core registers (SP, FP, PC, and LR), but they do not need to worry about intermediate values because ``setjmp`` can only be called synchronously, and the compiler should never schedule pointer-authentication operations interleaved with arbitrary calls.
.. _Relative addresses:
Attacks on relative addressing
++++++++++++++++++++++++++++++
Relative addressing is a technique used to compress and reduce the load-time cost of infrequently-used global data. The pointer authentication system is unlikely to support signing or authenticating a relative address, and in most cases it would defeat the point to do so: it would take additional storage space, and applying the signature would take extra work at load time.
Relative addressing is not precluded by the use of pointer authentication, but it does take extra considerations to make it secure:
- Relative addresses must only be stored in read-only memory. A writable relative address can be overwritten to point nearly anywhere, making it inherently insecure; this danger can only be compensated for with techniques for protecting arbitrary data like `ptrauth_sign_generic_data`_.
- Relative addresses must only be accessed through signed pointers with adequate diversity. If an attacker can perform an `access path attack` to replace the pointer through which the relative address is accessed, they can easily cause the relative address to point wherever they want.
Signature forging
+++++++++++++++++
If an attacker can exactly reproduce the behavior of the signing algorithm, and they know all the correct inputs to it, then they can perfectly forge a signature on an arbitrary pointer.
There are three components to avoiding this mistake:
- The abstract signing algorithm should be good: it should not have glaring flaws which would allow attackers to predict its result with better than random accuracy without knowing all the inputs (like the key values).
- The key values should be kept secret. If at all possible, they should never be stored in accessible memory, or perhaps only stored encrypted.
- Contexts that are meant to be independently protected should use different key values. For example, the kernel should not use the same keys as user processes. Different user processes should also use different keys from each other as much as possible, although this may pose its own technical challenges.
Remapping
+++++++++
If an attacker can change the memory protections on certain pages of the program's memory, that can substantially weaken the protections afforded by pointer authentication.
- If an attacker can inject their own executable code, they can also certainly inject code that can be used as a :ref:`signing oracle<Signing Oracles>`. The same is true if they can write to the instruction stream.
- If an attacker can remap read-only program sections to be writable, then any use of :ref:`relative addresses` in global data becomes insecure.
- If an attacker can remap read-only program sections to be writable, then it is unsafe to use unsigned pointers in `global offset tables`_.
Remapping memory in this way often requires the attacker to have already substantively subverted the control flow of the process. Nonetheless, if the operating system has a mechanism for mapping pages in a way that cannot be remapped, this should be used wherever possible.
.. _Safe Derivation:
Safe derivation
~~~~~~~~~~~~~~~
Whether a data pointer is stored, even briefly, as a raw pointer can affect the security-correctness of a program. (Function pointers are never implicitly stored as raw pointers; raw pointers to functions can only be produced with the ``<ptrauth.h>`` intrinsics.) Repeated re-signing can also impact performance. Clang makes a modest set of guarantees in this area:
- An expression of pointer type is said to be **safely derived** if:
- it takes the address of a global variable or function, or
- it is a load from a gl-value of ``__ptrauth``-qualified type.
- If a value that is safely derived is assigned to a ``__ptrauth``-qualified object, including by initialization, then the value will be directly signed as appropriate for the target qualifier and will not be stored as a raw pointer.
- If the function expression of a call is a gl-value of ``__ptrauth``-qualified type, then the call will be authenticated directly according to the source qualifier and will not be resigned to the default rule for a function pointer of its type.
These guarantees are known to be inadequate for data pointer security. In particular, Clang should be enhanced to make the following guarantees:
- A pointer should additionally be considered safely derived if it is:
- the address of a gl-value that is safely derived,
- the result of pointer arithmetic on a pointer that is safely derived (with some restrictions on the integer operand),
- the result of a comma operator where the second operand is safely derived,
- the result of a conditional operator where the selected operand is safely derived, or
- the result of loading from a safely derived gl-value.
- A gl-value should be considered safely derived if it is:
- a dereference of a safely derived pointer,
- a member access into a safely derived gl-value, or
- a reference to a variable.
- An access to a safely derived gl-value should be guaranteed to not allow replacement of any of the safely-derived component values at any point in the access. "Access" should include loading a function pointer.
- Assignments should include pointer-arithmetic operators like ``+=``.
Making these guarantees will require further work, including significant new support in LLVM IR.
Furthermore, Clang should implement a warning when assigning a data pointer that is not safely derived to a ``__ptrauth``-qualified gl-value.
Alternative implementations
---------------------------
Signature storage
~~~~~~~~~~~~~~~~~
It is not critical for the security of pointer authentication that the signature be stored "together" with the pointer, as it is in ARMv8.3. An implementation could just as well store the signature in a separate word, so that the ``sizeof`` a signed pointer would be larger than the ``sizeof`` a raw pointer.
Storing the signature in the high bits, as ARMv8.3 does, has several trade-offs:
- Disadvantage: there are substantially fewer bits available for the signature, weakening the mitigation by making it much easier for an attacker to simply guess the correct signature.
- Disadvantage: future growth of the address space will necessarily further weaken the mitigation.
- Advantage: memory layouts don't change, so it's possible for pointer-authentication-enabled code (for example, in a system library) to efficiently interoperate with existing code, as long as pointer authentication can be disabled dynamically.
- Advantage: the size of a signed pointer doesn't grow, which might significantly increase memory requirements, code size, and register pressure.
- Advantage: the size of a signed pointer is the same as a raw pointer, so generic APIs which work in types like `void *` (such as `dlsym`) can still return signed pointers. This means that clients of these APIs will not require insecure code in order to correctly receive a function pointer.
Hashing vs. encrypting pointers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ARMv8.3 implements ``sign`` by computing a cryptographic hash and storing that in the spare bits of the pointer. This means that there are relatively few possible values for the valid signed pointer, since the bits corresponding to the raw pointer are known. Together with an ``auth`` oracle, this can make it computationally feasible to discover the correct signature with brute force. (The implementation should of course endeavor not to introduce ``auth`` oracles, but this can be difficult, and attackers can be devious.)
If the implementation can instead *encrypt* the pointer during ``sign`` and *decrypt* it during ``auth``, this brute-force attack becomes far less feasible, even with an ``auth`` oracle. However, there are several problems with this idea:
- It's unclear whether this kind of encryption is even possible without increasing the storage size of a signed pointer. If the storage size can be increased, brute-force atacks can be equally well mitigated by simply storing a larger signature.
- It would likely be impossible to implement a ``strip`` operation, which might make debuggers and other out-of-process tools far more difficult to write, as well as generally making primitive debugging more challenging.
- Implementations can benefit from being able to extract the raw pointer immediately from a signed pointer. An ARMv8.3 processor executing an ``auth``-and-load instruction can perform the load and ``auth`` in parallel; a processor which instead encrypted the pointer would be forced to perform these operations serially.

clang/include/clang/Basic/Builtins.def

Context not available.
LANGBUILTIN(__builtin_coro_end, "bv*Ib", "n", COR_LANG) LANGBUILTIN(__builtin_coro_end, "bv*Ib", "n", COR_LANG)
LANGBUILTIN(__builtin_coro_suspend, "cIb", "n", COR_LANG) LANGBUILTIN(__builtin_coro_suspend, "cIb", "n", COR_LANG)
// Pointer authentication builtins.
BUILTIN(__builtin_ptrauth_strip, "v*v*i", "tnc")
BUILTIN(__builtin_ptrauth_blend_discriminator, "zv*i", "tnc")
BUILTIN(__builtin_ptrauth_sign_unauthenticated, "v*v*iv*", "tnc")
BUILTIN(__builtin_ptrauth_sign_generic_data, "zv*v*", "tnc")
BUILTIN(__builtin_ptrauth_auth_and_resign, "v*v*iv*iv*", "tn")
BUILTIN(__builtin_ptrauth_auth, "v*v*iv*", "tn")
// OpenCL v2.0 s6.13.16, s9.17.3.5 - Pipe functions. // OpenCL v2.0 s6.13.16, s9.17.3.5 - Pipe functions.
// We need the generic prototype, since the packet type could be anything. // We need the generic prototype, since the packet type could be anything.
LANGBUILTIN(read_pipe, "i.", "tn", OCL_PIPE) LANGBUILTIN(read_pipe, "i.", "tn", OCL_PIPE)
Context not available.

clang/include/clang/Basic/DiagnosticGroups.td

Context not available.
def GNUZeroLineDirective : DiagGroup<"gnu-zero-line-directive">; def GNUZeroLineDirective : DiagGroup<"gnu-zero-line-directive">;
def GNUZeroVariadicMacroArguments : DiagGroup<"gnu-zero-variadic-macro-arguments">; def GNUZeroVariadicMacroArguments : DiagGroup<"gnu-zero-variadic-macro-arguments">;
def MisleadingIndentation : DiagGroup<"misleading-indentation">; def MisleadingIndentation : DiagGroup<"misleading-indentation">;
def PtrAuthNullPointers : DiagGroup<"ptrauth-null-pointers">;
// This covers both the deprecated case (in C++98) // This covers both the deprecated case (in C++98)
// and the extension case (in C++11 onwards). // and the extension case (in C++11 onwards).
Context not available.

clang/include/clang/Basic/DiagnosticSemaKinds.td

Context not available.
def err_function_start_invalid_type: Error< def err_function_start_invalid_type: Error<
"argument must be a function">; "argument must be a function">;
def err_ptrauth_disabled :
Error<"this target does not support pointer authentication">;
def err_ptrauth_invalid_key :
Error<"%0 does not identify a valid pointer authentication key for "
"the current target">;
def err_ptrauth_value_bad_type :
Error<"%select{signed value|extra discriminator|blended pointer|blended "
"integer}0 must have %select{pointer|integer|pointer or integer}1 "
"type; type here is %2">;
def warn_ptrauth_sign_null_pointer :
Warning<"signing a null pointer will yield a non-null pointer">,
InGroup<PtrAuthNullPointers>;
def warn_ptrauth_auth_null_pointer :
Warning<"authenticating a null pointer will almost certainly trap">,
InGroup<PtrAuthNullPointers>;
/// main() /// main()
// static main() is not an error in C, just in C++. // static main() is not an error in C, just in C++.
def warn_static_main : Warning<"'main' should not be declared static">, def warn_static_main : Warning<"'main' should not be declared static">,
Context not available.

clang/include/clang/Basic/Features.def

Context not available.
FEATURE(thread_sanitizer, LangOpts.Sanitize.has(SanitizerKind::Thread)) FEATURE(thread_sanitizer, LangOpts.Sanitize.has(SanitizerKind::Thread))
FEATURE(dataflow_sanitizer, LangOpts.Sanitize.has(SanitizerKind::DataFlow)) FEATURE(dataflow_sanitizer, LangOpts.Sanitize.has(SanitizerKind::DataFlow))
FEATURE(scudo, LangOpts.Sanitize.hasOneOf(SanitizerKind::Scudo)) FEATURE(scudo, LangOpts.Sanitize.hasOneOf(SanitizerKind::Scudo))
FEATURE(ptrauth_intrinsics, LangOpts.PointerAuthIntrinsics)
FEATURE(swiftasynccc, FEATURE(swiftasynccc,
PP.getTargetInfo().checkCallingConvention(CC_SwiftAsync) == PP.getTargetInfo().checkCallingConvention(CC_SwiftAsync) ==
clang::TargetInfo::CCCR_OK) clang::TargetInfo::CCCR_OK)
Context not available.

clang/include/clang/Basic/LangOptions.def

Context not available.
LANGOPT(RelaxedTemplateTemplateArgs, 1, 0, "C++17 relaxed matching of template template arguments") LANGOPT(RelaxedTemplateTemplateArgs, 1, 0, "C++17 relaxed matching of template template arguments")
LANGOPT(ExperimentalLibrary, 1, 0, "enable unstable and experimental library features") LANGOPT(ExperimentalLibrary, 1, 0, "enable unstable and experimental library features")
LANGOPT(PointerAuthIntrinsics, 1, 0, "pointer authentication intrinsics")
LANGOPT(DoubleSquareBracketAttributes, 1, 0, "'[[]]' attributes extension for all language standard modes") LANGOPT(DoubleSquareBracketAttributes, 1, 0, "'[[]]' attributes extension for all language standard modes")
COMPATIBLE_LANGOPT(RecoveryAST, 1, 1, "Preserve expressions in AST when encountering errors") COMPATIBLE_LANGOPT(RecoveryAST, 1, 1, "Preserve expressions in AST when encountering errors")
Context not available.

clang/include/clang/Basic/TargetInfo.h

Context not available.
#include "clang/Basic/TargetOptions.h" #include "clang/Basic/TargetOptions.h"
#include "llvm/ADT/APFloat.h" #include "llvm/ADT/APFloat.h"
#include "llvm/ADT/APInt.h" #include "llvm/ADT/APInt.h"
#include "llvm/ADT/APSInt.h"
#include "llvm/ADT/ArrayRef.h" #include "llvm/ADT/ArrayRef.h"
#include "llvm/ADT/IntrusiveRefCntPtr.h" #include "llvm/ADT/IntrusiveRefCntPtr.h"
#include "llvm/ADT/SmallSet.h" #include "llvm/ADT/SmallSet.h"
Context not available.
return getAddressSpaceMap()[(unsigned)AS]; return getAddressSpaceMap()[(unsigned)AS];
} }
/// Determine whether the given pointer-authentication key is valid.
///
/// The value has been coerced to type 'int'.
virtual bool validatePointerAuthKey(const llvm::APSInt &value) const;
/// Map from the address space field in builtin description strings to the /// Map from the address space field in builtin description strings to the
/// language address space. /// language address space.
virtual LangAS getOpenCLBuiltinAddressSpace(unsigned AS) const { virtual LangAS getOpenCLBuiltinAddressSpace(unsigned AS) const {
Context not available.

clang/include/clang/Driver/Options.td

Context not available.
" of a non-void function as unreachable">, " of a non-void function as unreachable">,
PosFlag<SetTrue>>; PosFlag<SetTrue>>;
let Group = f_Group in {
let Visibility = [ClangOption,CC1Option] in {
def fptrauth_intrinsics : Flag<["-"], "fptrauth-intrinsics">,
HelpText<"Enable pointer-authentication intrinsics">;
}
def fno_ptrauth_intrinsics : Flag<["-"], "fno-ptrauth-intrinsics">;
}
def fenable_matrix : Flag<["-"], "fenable-matrix">, Group<f_Group>, def fenable_matrix : Flag<["-"], "fenable-matrix">, Group<f_Group>,
Visibility<[ClangOption, CC1Option]>, Visibility<[ClangOption, CC1Option]>,
HelpText<"Enable matrix data type and related builtin functions">, HelpText<"Enable matrix data type and related builtin functions">,
Context not available.

clang/include/clang/Sema/Sema.h

Context not available.
SourceLocation AtomicQualLoc = SourceLocation(), SourceLocation AtomicQualLoc = SourceLocation(),
SourceLocation UnalignedQualLoc = SourceLocation()); SourceLocation UnalignedQualLoc = SourceLocation());
bool checkConstantPointerAuthKey(Expr *keyExpr, unsigned &key);
static bool adjustContextForLocalExternDecl(DeclContext *&DC); static bool adjustContextForLocalExternDecl(DeclContext *&DC);
void DiagnoseFunctionSpecifiers(const DeclSpec &DS); void DiagnoseFunctionSpecifiers(const DeclSpec &DS);
NamedDecl *getShadowedDeclaration(const TypedefNameDecl *D, NamedDecl *getShadowedDeclaration(const TypedefNameDecl *D,
Context not available.

clang/lib/Basic/Module.cpp

Context not available.
if (!Requested->Parent && Requested->Name == "_Builtin_stddef_max_align_t") if (!Requested->Parent && Requested->Name == "_Builtin_stddef_max_align_t")
return true; return true;
// Anyone is allowed to use our builtin ptrauth.h and its accompanying module.
if (!Requested->Parent && Requested->Name == "ptrauth")
return true;
if (NoUndeclaredIncludes) if (NoUndeclaredIncludes)
UndeclaredUses.insert(Requested); UndeclaredUses.insert(Requested);
Context not available.

clang/lib/Basic/TargetInfo.cpp

Context not available.
return true; return true;
} }
bool TargetInfo::validatePointerAuthKey(const llvm::APSInt &value) const {
return false;
}
void TargetInfo::CheckFixedPointBits() const { void TargetInfo::CheckFixedPointBits() const {
// Check that the number of fractional and integral bits (and maybe sign) can // Check that the number of fractional and integral bits (and maybe sign) can
// fit into the bits given for a fixed point type. // fit into the bits given for a fixed point type.
Context not available.

clang/lib/Basic/Targets/AArch64.h

Context not available.
int getEHDataRegisterNumber(unsigned RegNo) const override; int getEHDataRegisterNumber(unsigned RegNo) const override;
bool validatePointerAuthKey(const llvm::APSInt &value) const override;
const char *getBFloat16Mangling() const override { return "u6__bf16"; }; const char *getBFloat16Mangling() const override { return "u6__bf16"; };
bool hasInt128Type() const override; bool hasInt128Type() const override;
Context not available.

clang/lib/Basic/Targets/AArch64.cpp

Context not available.
#include "clang/Basic/LangOptions.h" #include "clang/Basic/LangOptions.h"
#include "clang/Basic/TargetBuiltins.h" #include "clang/Basic/TargetBuiltins.h"
#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"
#include "llvm/ADT/APSInt.h"
#include "llvm/ADT/ArrayRef.h" #include "llvm/ADT/ArrayRef.h"
#include "llvm/ADT/StringExtras.h" #include "llvm/ADT/StringExtras.h"
#include "llvm/ADT/StringSwitch.h" #include "llvm/ADT/StringSwitch.h"
rjmccallUnsubmitted
Done
ReplyInline Actions

There's an LLVM constants header for this now, right?

rjmccall: There's an LLVM constants header for this now, right?
abAuthorUnsubmitted
Done
ReplyInline Actions

Hmm, I don't think so, do you have something in mind? The AArch64 backend has helpers for this, but that's confined there. IR doesn't know anything about keys (for instance, the IR verifier doesn't have the same validation done here)

There's a related latent concern I have: currently, nothing prevents optimizations from moving ptrauth ops into global constant initializers, and since we don't support global initializers with process-specific keys (at least on darwin), we may need to expose this knowledge somehow (undoing this in the backend is not straightforward, but is an option).

Knowing which keys are used in what way would need to be triple-specific, though I guess that's not an obstacle.

ab: Hmm, I don't think so, do you have something in mind? The AArch64 backend has helpers for this…
Context not available.
return -1; return -1;
} }
bool AArch64TargetInfo::validatePointerAuthKey(
const llvm::APSInt &value) const {
return 0 <= value && value <= 3;
}
bool AArch64TargetInfo::hasInt128Type() const { return true; } bool AArch64TargetInfo::hasInt128Type() const { return true; }
AArch64leTargetInfo::AArch64leTargetInfo(const llvm::Triple &Triple, AArch64leTargetInfo::AArch64leTargetInfo(const llvm::Triple &Triple,
Context not available.

clang/lib/CodeGen/CGBuiltin.cpp

Context not available.
case Builtin::BI__iso_volatile_store64: case Builtin::BI__iso_volatile_store64:
return RValue::get(EmitISOVolatileStore(*this, E)); return RValue::get(EmitISOVolatileStore(*this, E));
case Builtin::BI__builtin_ptrauth_auth:
case Builtin::BI__builtin_ptrauth_auth_and_resign:
case Builtin::BI__builtin_ptrauth_blend_discriminator:
case Builtin::BI__builtin_ptrauth_sign_generic_data:
case Builtin::BI__builtin_ptrauth_sign_unauthenticated:
case Builtin::BI__builtin_ptrauth_strip: {
// Emit the arguments.
SmallVector<llvm::Value*, 5> args;
for (auto argExpr : E->arguments())
args.push_back(EmitScalarExpr(argExpr));
// Cast the value to intptr_t, saving its original type.
llvm::Type *origValueType = args[0]->getType();
if (origValueType->isPointerTy())
args[0] = Builder.CreatePtrToInt(args[0], IntPtrTy);
switch (BuiltinID) {
case Builtin::BI__builtin_ptrauth_auth_and_resign:
if (args[4]->getType()->isPointerTy())
args[4] = Builder.CreatePtrToInt(args[4], IntPtrTy);
LLVM_FALLTHROUGH;
case Builtin::BI__builtin_ptrauth_auth:
case Builtin::BI__builtin_ptrauth_sign_unauthenticated:
if (args[2]->getType()->isPointerTy())
args[2] = Builder.CreatePtrToInt(args[2], IntPtrTy);
break;
case Builtin::BI__builtin_ptrauth_sign_generic_data:
if (args[1]->getType()->isPointerTy())
args[1] = Builder.CreatePtrToInt(args[1], IntPtrTy);
break;
case Builtin::BI__builtin_ptrauth_blend_discriminator:
case Builtin::BI__builtin_ptrauth_strip:
break;
}
// Call the intrinsic.
auto intrinsicID = [&]() -> unsigned {
switch (BuiltinID) {
case Builtin::BI__builtin_ptrauth_auth:
return llvm::Intrinsic::ptrauth_auth;
case Builtin::BI__builtin_ptrauth_auth_and_resign:
return llvm::Intrinsic::ptrauth_resign;
case Builtin::BI__builtin_ptrauth_blend_discriminator:
return llvm::Intrinsic::ptrauth_blend;
case Builtin::BI__builtin_ptrauth_sign_generic_data:
return llvm::Intrinsic::ptrauth_sign_generic;
case Builtin::BI__builtin_ptrauth_sign_unauthenticated:
return llvm::Intrinsic::ptrauth_sign;
case Builtin::BI__builtin_ptrauth_strip:
return llvm::Intrinsic::ptrauth_strip;
}
llvm_unreachable("bad ptrauth intrinsic");
}();
auto intrinsic = CGM.getIntrinsic(intrinsicID);
llvm::Value *result = EmitRuntimeCall(intrinsic, args);
if (BuiltinID != Builtin::BI__builtin_ptrauth_sign_generic_data &&
BuiltinID != Builtin::BI__builtin_ptrauth_blend_discriminator &&
origValueType->isPointerTy()) {
result = Builder.CreateIntToPtr(result, origValueType);
}
return RValue::get(result);
}
case Builtin::BI__exception_code: case Builtin::BI__exception_code:
case Builtin::BI_exception_code: case Builtin::BI_exception_code:
return RValue::get(EmitSEHExceptionCode()); return RValue::get(EmitSEHExceptionCode());
Context not available.

clang/lib/Driver/ToolChains/Clang.cpp

Context not available.
// -fno-common is the default, set -fcommon only when that flag is set. // -fno-common is the default, set -fcommon only when that flag is set.
Args.addOptInFlag(CmdArgs, options::OPT_fcommon, options::OPT_fno_common); Args.addOptInFlag(CmdArgs, options::OPT_fcommon, options::OPT_fno_common);
if (Args.hasFlag(options::OPT_fptrauth_intrinsics,
options::OPT_fno_ptrauth_intrinsics, false))
CmdArgs.push_back("-fptrauth-intrinsics");
// -fsigned-bitfields is default, and clang doesn't yet support // -fsigned-bitfields is default, and clang doesn't yet support
// -funsigned-bitfields. // -funsigned-bitfields.
if (!Args.hasFlag(options::OPT_fsigned_bitfields, if (!Args.hasFlag(options::OPT_fsigned_bitfields,
Context not available.

clang/lib/Driver/ToolChains/Darwin.h

Context not available.
void addClangWarningOptions(llvm::opt::ArgStringList &CC1Args) const override; void addClangWarningOptions(llvm::opt::ArgStringList &CC1Args) const override;
void addClangTargetOptions(const llvm::opt::ArgList &DriverArgs,
llvm::opt::ArgStringList &CC1Args,
Action::OffloadKind DeviceOffloadKind) const override;
void AddLinkARCArgs(const llvm::opt::ArgList &Args, void AddLinkARCArgs(const llvm::opt::ArgList &Args,
llvm::opt::ArgStringList &CmdArgs) const override; llvm::opt::ArgStringList &CmdArgs) const override;
Context not available.

clang/lib/Driver/ToolChains/Darwin.cpp

Context not available.
} }
} }
void DarwinClang::addClangTargetOptions(
const llvm::opt::ArgList &DriverArgs, llvm::opt::ArgStringList &CC1Args,
Action::OffloadKind DeviceOffloadKind) const{
Darwin::addClangTargetOptions(DriverArgs, CC1Args, DeviceOffloadKind);
// On arm64e, enable pointer authentication intrinsics.
if (getTriple().isArm64e()) {
if (!DriverArgs.hasArg(options::OPT_fptrauth_intrinsics,
options::OPT_fno_ptrauth_intrinsics))
CC1Args.push_back("-fptrauth-intrinsics");
}
}
/// Take a path that speculatively points into Xcode and return the /// Take a path that speculatively points into Xcode and return the
/// `XCODE/Contents/Developer` path if it is an Xcode path, or an empty path /// `XCODE/Contents/Developer` path if it is an Xcode path, or an empty path
/// otherwise. /// otherwise.
Context not available.

clang/lib/Frontend/CompilerInvocation.cpp

Context not available.
return Diags.getNumErrors() == NumErrorsBefore; return Diags.getNumErrors() == NumErrorsBefore;
} }
static void GeneratePointerAuthArgs(const LangOptions &Opts,
ArgumentConsumer Consumer) {
if (Opts.PointerAuthIntrinsics)
GenerateArg(Consumer, OPT_fptrauth_intrinsics);
}
static void ParsePointerAuthArgs(LangOptions &Opts, ArgList &Args,
DiagnosticsEngine &Diags) {
Opts.PointerAuthIntrinsics = Args.hasArg(OPT_fptrauth_intrinsics);
}
/// Check if input file kind and language standard are compatible. /// Check if input file kind and language standard are compatible.
static bool IsInputCompatibleWithStandard(InputKind IK, static bool IsInputCompatibleWithStandard(InputKind IK,
const LangStandard &S) { const LangStandard &S) {
Context not available.
llvm::Triple T(Res.getTargetOpts().Triple); llvm::Triple T(Res.getTargetOpts().Triple);
ParseHeaderSearchArgs(Res.getHeaderSearchOpts(), Args, Diags, ParseHeaderSearchArgs(Res.getHeaderSearchOpts(), Args, Diags,
Res.getFileSystemOpts().WorkingDir); Res.getFileSystemOpts().WorkingDir);
ParsePointerAuthArgs(LangOpts, Args, Diags);
ParseLangArgs(LangOpts, Args, DashX, T, Res.getPreprocessorOpts().Includes, ParseLangArgs(LangOpts, Args, DashX, T, Res.getPreprocessorOpts().Includes,
Diags); Diags);
Context not available.
GenerateFrontendArgs(getFrontendOpts(), Consumer, getLangOpts().IsHeaderFile); GenerateFrontendArgs(getFrontendOpts(), Consumer, getLangOpts().IsHeaderFile);
GenerateTargetArgs(getTargetOpts(), Consumer); GenerateTargetArgs(getTargetOpts(), Consumer);
GenerateHeaderSearchArgs(getHeaderSearchOpts(), Consumer); GenerateHeaderSearchArgs(getHeaderSearchOpts(), Consumer);
GeneratePointerAuthArgs(getLangOpts(), Consumer);
GenerateLangArgs(getLangOpts(), Consumer, T, getFrontendOpts().DashX); GenerateLangArgs(getLangOpts(), Consumer, T, getFrontendOpts().DashX);
GenerateCodeGenArgs(getCodeGenOpts(), Consumer, T, GenerateCodeGenArgs(getCodeGenOpts(), Consumer, T,
getFrontendOpts().OutputFile, &getLangOpts()); getFrontendOpts().OutputFile, &getLangOpts());
Context not available.

clang/lib/Headers/CMakeLists.txt

Context not available.
popcntintrin.h popcntintrin.h
prfchiintrin.h prfchiintrin.h
prfchwintrin.h prfchwintrin.h
ptrauth.h
ptwriteintrin.h ptwriteintrin.h
raointintrin.h raointintrin.h
rdpruintrin.h rdpruintrin.h
Context not available.

clang/lib/Headers/module.modulemap

Context not available.
header "opencl-c.h" header "opencl-c.h"
header "opencl-c-base.h" header "opencl-c-base.h"
} }
module ptrauth {
header "ptrauth.h"
export *
}
Context not available.

clang/lib/Headers/ptrauth.h

  • This file was added.
/*===---- ptrauth.h - Pointer authentication -------------------------------===
*
* Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
* See https://llvm.org/LICENSE.txt for license information.
* SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
*
*===-----------------------------------------------------------------------===
*/
#ifndef __PTRAUTH_H
#define __PTRAUTH_H
typedef enum {
ptrauth_key_asia = 0,
ptrauth_key_asib = 1,
ptrauth_key_asda = 2,
ptrauth_key_asdb = 3,
/* A process-independent key which can be used to sign code pointers.
Signing and authenticating with this key is a no-op in processes
which disable ABI pointer authentication. */
ptrauth_key_process_independent_code = ptrauth_key_asia,
/* A process-specific key which can be used to sign code pointers.
Signing and authenticating with this key is enforced even in processes
which disable ABI pointer authentication. */
ptrauth_key_process_dependent_code = ptrauth_key_asib,
/* A process-independent key which can be used to sign data pointers.
Signing and authenticating with this key is a no-op in processes
which disable ABI pointer authentication. */
ptrauth_key_process_independent_data = ptrauth_key_asda,
/* A process-specific key which can be used to sign data pointers.
Signing and authenticating with this key is a no-op in processes
which disable ABI pointer authentication. */
ptrauth_key_process_dependent_data = ptrauth_key_asdb,
kristof.beylsUnsubmitted
Not Done
ReplyInline Actions

I think, but am not sure, that the decision of which keys are process independent and which ones are process-dependent is a software platform choice?
If so, maybe ptrauth_key_process_{in,}dependent_* should only get defined conditionally?
I'm not sure if any decisions have been taken already for e.g. linux, Android, other platforms.
If not, maybe this block of code should be surrounded by an ifdef that is enabled only when targeting Darwin?

kristof.beyls: I think, but am not sure, that the decision of which keys are process independent and which…
rjmccallUnsubmitted
Not Done
ReplyInline Actions

Yes, in retrospect it was a bad idea to define these particular generic names. I believe Apple platforms no longer have "process-independent" keys. It should really just be (1) the concrete keys, (2) recommended default keys for code and data pointers, and then (3) the specific keys used in specific schemas. Beyond that, if people want a specific different key for some purpose, they should ask for it.

Unfortunately, there's already a fair amount of code using these names. We could deprecate the old names and point people towards the new names, though.

rjmccall: Yes, in retrospect it was a bad idea to define these particular generic names. I believe Apple…
kristof.beylsUnsubmitted
Not Done
ReplyInline Actions

Thanks for those background insights!
I was thinking that maybe the keys that should be deprecated could be enabled only when targeting Apple platforms? I'm assuming here that most existing code using these only target Apple platforms; so making them available only when targeting Apple platforms could help with not letting the use of them spread further without impacting existing code much?

kristof.beyls: Thanks for those background insights! I was thinking that maybe the keys that should be…
abAuthorUnsubmitted
Not Done
ReplyInline Actions

Or we could keep these downstream as well, and deprecate them there directly.

Worth mentioning we'll have a similar problem with the "language-feature-specific" key enums and qualifiers (e.g., ptrauth_key_function_pointer): they're currently hardcoded in ptrauth.h with the arm64e values. I was thinking maybe they should be defined by the frontend and exposed to ptrauth.h through macros (and/or builtin types, or something else), so that the single source of truth is the frontend logic that decides which schemas are used where. But that's a problem for another day.

So, concretely:

  • remove these 4 key aliases (and transition them downstream, yadda yadda)
  • gate the later key aliases (that describe the language ABI schemas) on __arm64e__
  • figure out some more complicated way of defining these, as needed, for other targets
ab: Or we could keep these downstream as well, and deprecate them there directly. Worth mentioning…
} ptrauth_key;
/* An integer type of the appropriate size for a discriminator argument. */
typedef __UINTPTR_TYPE__ ptrauth_extra_data_t;
/* An integer type of the appropriate size for a generic signature. */
typedef __UINTPTR_TYPE__ ptrauth_generic_signature_t;
/* A signed pointer value embeds the original pointer together with
a signature that attests to the validity of that pointer. Because
this signature must use only "spare" bits of the pointer, a
signature's validity is probabilistic in practice: it is unlikely
but still plausible that an invalidly-derived signature will
somehow equal the correct signature and therefore successfully
authenticate. Nonetheless, this scheme provides a strong degree
of protection against certain kinds of attacks. */
/* Authenticating a pointer that was not signed with the given key
and extra-data value will (likely) fail by trapping. */
#if __has_feature(ptrauth_intrinsics)
/* Strip the signature from a value without authenticating it.
If the value is a function pointer, the result will not be a
legal function pointer because of the missing signature, and
attempting to call it will result in an authentication failure.
The value must be an expression of pointer type.
The key must be a constant expression of type ptrauth_key.
The result will have the same type as the original value. */
#define ptrauth_strip(__value, __key) \
__builtin_ptrauth_strip(__value, __key)
/* Blend a constant discriminator into the given pointer-like value
to form a new discriminator. Not all bits of the inputs are
guaranteed to contribute to the result.
On arm64e, the integer must fall within the range of a uint16_t;
other bits may be ignored.
The first argument must be an expression of pointer type.
The second argument must be an expression of integer type.
The result will have type uintptr_t. */
#define ptrauth_blend_discriminator(__pointer, __integer) \
__builtin_ptrauth_blend_discriminator(__pointer, __integer)
/* Add a signature to the given pointer value using a specific key,
using the given extra data as a salt to the signing process.
This operation does not authenticate the original value and is
therefore potentially insecure if an attacker could possibly
control that value.
The value must be an expression of pointer type.
The key must be a constant expression of type ptrauth_key.
The extra data must be an expression of pointer or integer type;
if an integer, it will be coerced to ptrauth_extra_data_t.
The result will have the same type as the original value. */
#define ptrauth_sign_unauthenticated(__value, __key, __data) \
__builtin_ptrauth_sign_unauthenticated(__value, __key, __data)
/* Authenticate a pointer using one scheme and resign it using another.
If the result is subsequently authenticated using the new scheme, that
authentication is guaranteed to fail if and only if the initial
authentication failed.
The value must be an expression of pointer type.
The key must be a constant expression of type ptrauth_key.
The extra data must be an expression of pointer or integer type;
if an integer, it will be coerced to ptrauth_extra_data_t.
The result will have the same type as the original value.
This operation is guaranteed to not leave the intermediate value
available for attack before it is re-signed.
Do not pass a null pointer to this function. A null pointer
will not successfully authenticate. */
#define ptrauth_auth_and_resign(__value, __old_key, __old_data, __new_key, __new_data) \
__builtin_ptrauth_auth_and_resign(__value, __old_key, __old_data, __new_key, __new_data)
/* Authenticate a data pointer.
The value must be an expression of non-function pointer type.
The key must be a constant expression of type ptrauth_key.
The extra data must be an expression of pointer or integer type;
if an integer, it will be coerced to ptrauth_extra_data_t.
The result will have the same type as the original value.
If the authentication fails, dereferencing the resulting pointer
will fail. */
#define ptrauth_auth_data(__value, __old_key, __old_data) \
__builtin_ptrauth_auth(__value, __old_key, __old_data)
/* Compute a signature for the given pair of pointer-sized values.
The order of the arguments is significant.
Like a pointer signature, the resulting signature depends on
private key data and therefore should not be reliably reproducible
by attackers. That means that this can be used to validate the
integrity of arbitrary data by storing a signature for that data
alongside it, then checking that the signature is still valid later.
Data which exceeds two pointers in size can be signed by either
computing a tree of generic signatures or just signing an ordinary
cryptographic hash of the data.
The result has type ptrauth_generic_signature_t. However, it may
not have as many bits of entropy as that type's width would suggest;
some implementations are known to compute a compressed signature as
if the arguments were a pointer and a discriminator.
The arguments must be either pointers or integers; if integers, they
will be coerce to uintptr_t. */
#define ptrauth_sign_generic_data(__value, __data) \
__builtin_ptrauth_sign_generic_data(__value, __data)
#else
#define ptrauth_strip(__value, __key) ({(void)__key; __value;})
#define ptrauth_blend_discriminator(__pointer, __integer) ({(void)__pointer; (void)__integer; ((ptrauth_extra_data_t)0);})
#define ptrauth_sign_unauthenticated(__value, __key, __data) ({(void)__key; (void)__data; __value;})
#define ptrauth_auth_and_resign(__value, __old_key, __old_data, __new_key, __new_data) ({(void)__old_key; (void)__old_data; (void)__new_key; (void)__new_data; __value;})
#define ptrauth_auth_data(__value, __old_key, __old_data) ({(void)__old_key;(void)__old_data;__value;})
#define ptrauth_sign_generic_data(__value, __data) ({(void)__value;(void)__data;((ptrauth_generic_signature_t)0);})
#endif /* __has_feature(ptrauth_intrinsics) */
#endif /* __PTRAUTH_H */

clang/lib/Sema/SemaChecking.cpp

Context not available.
return false; return false;
InitializedEntity Entity = InitializedEntity Entity =
InitializedEntity::InitializeParameter(S.Context, Ty, false); InitializedEntity::InitializeParameter(S.Context, Ty, false);
ExprResult Result = ExprResult Result =
S.PerformCopyInitialization(Entity, SourceLocation(), Value); S.PerformCopyInitialization(Entity, SourceLocation(), Value);
if (Result.isInvalid()) if (Result.isInvalid())
return true; return true;
Value = Result.get(); Value = Result.get();
Context not available.
return false; return false;
} }
namespace {
enum PointerAuthOpKind {
PAO_Strip, PAO_Sign, PAO_Auth, PAO_SignGeneric, PAO_Discriminator,
PAO_BlendPointer, PAO_BlendInteger
};
}
static bool checkPointerAuthEnabled(Sema &S, Expr *E) {
if (S.getLangOpts().PointerAuthIntrinsics)
return false;
S.Diag(E->getExprLoc(), diag::err_ptrauth_disabled) << E->getSourceRange();
return true;
}
static bool checkPointerAuthKey(Sema &S, Expr *&Arg) {
// Convert it to type 'int'.
if (convertArgumentToType(S, Arg, S.Context.IntTy))
return true;
// Value-dependent expressions are okay; wait for template instantiation.
if (Arg->isValueDependent())
return false;
unsigned KeyValue;
return S.checkConstantPointerAuthKey(Arg, KeyValue);
}
bool Sema::checkConstantPointerAuthKey(Expr *Arg, unsigned &Result) {
// Attempt to constant-evaluate the expression.
std::optional<llvm::APSInt> KeyValue = Arg->getIntegerConstantExpr(Context);
if (!KeyValue) {
Diag(Arg->getExprLoc(), diag::err_expr_not_ice) << 0
<< Arg->getSourceRange();
return true;
}
// Ask the target to validate the key parameter.
if (!Context.getTargetInfo().validatePointerAuthKey(*KeyValue)) {
llvm::SmallString<32> Value; {
llvm::raw_svector_ostream Str(Value);
Str << *KeyValue;
}
Diag(Arg->getExprLoc(), diag::err_ptrauth_invalid_key)
<< Value << Arg->getSourceRange();
return true;
}
Result = KeyValue->getZExtValue();
return false;
}
static bool checkPointerAuthValue(Sema &S, Expr *&Arg,
PointerAuthOpKind OpKind) {
if (Arg->hasPlaceholderType()) {
ExprResult R = S.CheckPlaceholderExpr(Arg);
if (R.isInvalid()) return true;
Arg = R.get();
}
auto allowsPointer = [](PointerAuthOpKind OpKind) {
return OpKind != PAO_BlendInteger;
};
auto allowsInteger = [](PointerAuthOpKind OpKind) {
return OpKind == PAO_Discriminator ||
OpKind == PAO_BlendInteger ||
OpKind == PAO_SignGeneric;
};
// Require the value to have the right range of type.
QualType ExpectedTy;
if (allowsPointer(OpKind) && Arg->getType()->isPointerType()) {
ExpectedTy = Arg->getType().getUnqualifiedType();
} else if (allowsPointer(OpKind) && Arg->getType()->isNullPtrType()) {
ExpectedTy = S.Context.VoidPtrTy;
} else if (allowsInteger(OpKind) &&
Arg->getType()->isIntegralOrUnscopedEnumerationType()) {
ExpectedTy = S.Context.getUIntPtrType();
// Diagnose the failures.
} else {
S.Diag(Arg->getExprLoc(), diag::err_ptrauth_value_bad_type)
<< unsigned(OpKind == PAO_Discriminator ? 1 :
OpKind == PAO_BlendPointer ? 2 :
OpKind == PAO_BlendInteger ? 3 : 0)
<< unsigned(allowsInteger(OpKind) ?
(allowsPointer(OpKind) ? 2 : 1) : 0)
<< Arg->getType()
<< Arg->getSourceRange();
return true;
}
// Convert to that type. This should just be an lvalue-to-rvalue
// conversion.
if (convertArgumentToType(S, Arg, ExpectedTy))
return true;
// Warn about null pointers for non-generic sign and auth operations.
if ((OpKind == PAO_Sign || OpKind == PAO_Auth) &&
Arg->isNullPointerConstant(S.Context, Expr::NPC_ValueDependentIsNull)) {
S.Diag(Arg->getExprLoc(),
OpKind == PAO_Sign ? diag::warn_ptrauth_sign_null_pointer
: diag::warn_ptrauth_auth_null_pointer)
<< Arg->getSourceRange();
}
return false;
}
static ExprResult SemaPointerAuthStrip(Sema &S, CallExpr *Call) {
if (checkArgCount(S, Call, 2)) return ExprError();
if (checkPointerAuthEnabled(S, Call)) return ExprError();
if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_Strip) ||
checkPointerAuthKey(S, Call->getArgs()[1]))
return ExprError();
Call->setType(Call->getArgs()[0]->getType());
return Call;
}
static ExprResult SemaPointerAuthBlendDiscriminator(Sema &S, CallExpr *Call) {
if (checkArgCount(S, Call, 2)) return ExprError();
if (checkPointerAuthEnabled(S, Call)) return ExprError();
if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_BlendPointer) ||
checkPointerAuthValue(S, Call->getArgs()[1], PAO_BlendInteger))
return ExprError();
Call->setType(S.Context.getUIntPtrType());
return Call;
}
static ExprResult SemaPointerAuthSignGenericData(Sema &S, CallExpr *Call) {
if (checkArgCount(S, Call, 2)) return ExprError();
if (checkPointerAuthEnabled(S, Call)) return ExprError();
if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_SignGeneric) ||
checkPointerAuthValue(S, Call->getArgs()[1], PAO_Discriminator))
return ExprError();
Call->setType(S.Context.getUIntPtrType());
return Call;
}
static ExprResult SemaPointerAuthSignOrAuth(Sema &S, CallExpr *Call,
PointerAuthOpKind OpKind) {
if (checkArgCount(S, Call, 3)) return ExprError();
if (checkPointerAuthEnabled(S, Call)) return ExprError();
if (checkPointerAuthValue(S, Call->getArgs()[0], OpKind) ||
checkPointerAuthKey(S, Call->getArgs()[1]) ||
checkPointerAuthValue(S, Call->getArgs()[2], PAO_Discriminator))
return ExprError();
Call->setType(Call->getArgs()[0]->getType());
return Call;
}
static ExprResult SemaPointerAuthAuthAndResign(Sema &S, CallExpr *Call) {
if (checkArgCount(S, Call, 5)) return ExprError();
if (checkPointerAuthEnabled(S, Call)) return ExprError();
if (checkPointerAuthValue(S, Call->getArgs()[0], PAO_Auth) ||
checkPointerAuthKey(S, Call->getArgs()[1]) ||
checkPointerAuthValue(S, Call->getArgs()[2], PAO_Discriminator) ||
checkPointerAuthKey(S, Call->getArgs()[3]) ||
checkPointerAuthValue(S, Call->getArgs()[4], PAO_Discriminator))
return ExprError();
Call->setType(Call->getArgs()[0]->getType());
return Call;
}
static ExprResult SemaBuiltinLaunder(Sema &S, CallExpr *TheCall) { static ExprResult SemaBuiltinLaunder(Sema &S, CallExpr *TheCall) {
if (checkArgCount(S, TheCall, 1)) if (checkArgCount(S, TheCall, 1))
return ExprError(); return ExprError();
Context not available.
} }
break; break;
} }
case Builtin::BI__builtin_ptrauth_strip:
return SemaPointerAuthStrip(*this, TheCall);
case Builtin::BI__builtin_ptrauth_blend_discriminator:
return SemaPointerAuthBlendDiscriminator(*this, TheCall);
case Builtin::BI__builtin_ptrauth_sign_unauthenticated:
return SemaPointerAuthSignOrAuth(*this, TheCall, PAO_Sign);
case Builtin::BI__builtin_ptrauth_auth:
return SemaPointerAuthSignOrAuth(*this, TheCall, PAO_Auth);
case Builtin::BI__builtin_ptrauth_sign_generic_data:
return SemaPointerAuthSignGenericData(*this, TheCall);
case Builtin::BI__builtin_ptrauth_auth_and_resign:
return SemaPointerAuthAuthAndResign(*this, TheCall);
// OpenCL v2.0, s6.13.16 - Pipe functions // OpenCL v2.0, s6.13.16 - Pipe functions
case Builtin::BIread_pipe: case Builtin::BIread_pipe:
case Builtin::BIwrite_pipe: case Builtin::BIwrite_pipe:
Context not available.

clang/test/CodeGen/ptrauth-intrinsics.c

  • This file was added.
// RUN: %clang_cc1 -triple arm64-apple-ios -fptrauth-intrinsics -emit-llvm %s -o - | FileCheck %s
void (*fnptr)(void);
long int_discriminator;
void *ptr_discriminator;
long signature;
// CHECK-LABEL: define void @test_auth()
void test_auth() {
// CHECK: [[PTR:%.*]] = load ptr, ptr @fnptr,
// CHECK-NEXT: [[DISC0:%.*]] = load ptr, ptr @ptr_discriminator,
// CHECK-NEXT: [[T0:%.*]] = ptrtoint ptr [[PTR]] to i64
// CHECK-NEXT: [[DISC:%.*]] = ptrtoint ptr [[DISC0]] to i64
// CHECK-NEXT: [[T1:%.*]] = call i64 @llvm.ptrauth.auth(i64 [[T0]], i32 0, i64 [[DISC]])
// CHECK-NEXT: [[RESULT:%.*]] = inttoptr i64 [[T1]] to ptr
// CHECK-NEXT: store ptr [[RESULT]], ptr @fnptr,
fnptr = __builtin_ptrauth_auth(fnptr, 0, ptr_discriminator);
}
// CHECK-LABEL: define void @test_strip()
void test_strip() {
// CHECK: [[PTR:%.*]] = load ptr, ptr @fnptr,
// CHECK-NEXT: [[T0:%.*]] = ptrtoint ptr [[PTR]] to i64
// CHECK-NEXT: [[T1:%.*]] = call i64 @llvm.ptrauth.strip(i64 [[T0]], i32 0)
// CHECK-NEXT: [[RESULT:%.*]] = inttoptr i64 [[T1]] to ptr
// CHECK-NEXT: store ptr [[RESULT]], ptr @fnptr,
fnptr = __builtin_ptrauth_strip(fnptr, 0);
}
// CHECK-LABEL: define void @test_sign_unauthenticated()
void test_sign_unauthenticated() {
// CHECK: [[PTR:%.*]] = load ptr, ptr @fnptr,
// CHECK-NEXT: [[DISC0:%.*]] = load ptr, ptr @ptr_discriminator,
// CHECK-NEXT: [[T0:%.*]] = ptrtoint ptr [[PTR]] to i64
// CHECK-NEXT: [[DISC:%.*]] = ptrtoint ptr [[DISC0]] to i64
// CHECK-NEXT: [[T1:%.*]] = call i64 @llvm.ptrauth.sign(i64 [[T0]], i32 0, i64 [[DISC]])
// CHECK-NEXT: [[RESULT:%.*]] = inttoptr i64 [[T1]] to ptr
// CHECK-NEXT: store ptr [[RESULT]], ptr @fnptr,
fnptr = __builtin_ptrauth_sign_unauthenticated(fnptr, 0, ptr_discriminator);
}
// CHECK-LABEL: define void @test_auth_and_resign()
void test_auth_and_resign() {
// CHECK: [[PTR:%.*]] = load ptr, ptr @fnptr,
// CHECK-NEXT: [[DISC0:%.*]] = load ptr, ptr @ptr_discriminator,
// CHECK-NEXT: [[T0:%.*]] = ptrtoint ptr [[PTR]] to i64
// CHECK-NEXT: [[DISC:%.*]] = ptrtoint ptr [[DISC0]] to i64
// CHECK-NEXT: [[T1:%.*]] = call i64 @llvm.ptrauth.resign(i64 [[T0]], i32 0, i64 [[DISC]], i32 3, i64 15)
// CHECK-NEXT: [[RESULT:%.*]] = inttoptr i64 [[T1]] to ptr
// CHECK-NEXT: store ptr [[RESULT]], ptr @fnptr,
fnptr = __builtin_ptrauth_auth_and_resign(fnptr, 0, ptr_discriminator, 3, 15);
}
// CHECK-LABEL: define void @test_blend_discriminator()
void test_blend_discriminator() {
// CHECK: [[PTR:%.*]] = load ptr, ptr @fnptr,
// CHECK-NEXT: [[DISC:%.*]] = load i64, ptr @int_discriminator,
// CHECK-NEXT: [[T0:%.*]] = ptrtoint ptr [[PTR]] to i64
// CHECK-NEXT: [[RESULT:%.*]] = call i64 @llvm.ptrauth.blend(i64 [[T0]], i64 [[DISC]])
// CHECK-NEXT: store i64 [[RESULT]], ptr @int_discriminator,
int_discriminator = __builtin_ptrauth_blend_discriminator(fnptr, int_discriminator);
}
// CHECK-LABEL: define void @test_sign_generic_data()
void test_sign_generic_data() {
// CHECK: [[PTR:%.*]] = load ptr, ptr @fnptr,
// CHECK-NEXT: [[DISC0:%.*]] = load ptr, ptr @ptr_discriminator,
// CHECK-NEXT: [[T0:%.*]] = ptrtoint ptr [[PTR]] to i64
// CHECK-NEXT: [[DISC:%.*]] = ptrtoint ptr [[DISC0]] to i64
// CHECK-NEXT: [[RESULT:%.*]] = call i64 @llvm.ptrauth.sign.generic(i64 [[T0]], i64 [[DISC]])
// CHECK-NEXT: store i64 [[RESULT]], ptr @signature,
signature = __builtin_ptrauth_sign_generic_data(fnptr, ptr_discriminator);
}

clang/test/Driver/arch-arm64e.c

  • This file was added.
// Check that we can manually enable specific ptrauth features.
// RUN: %clang -target arm64-apple-ios -c %s -### 2>&1 | FileCheck %s --check-prefix NONE
// NONE: "-cc1"
// NONE-NOT: "-fptrauth-intrinsics"
// RUN: %clang -target arm64-apple-ios -fptrauth-intrinsics -c %s -### 2>&1 | FileCheck %s --check-prefix INTRIN
// INTRIN: "-cc1"{{.*}} {{.*}} "-fptrauth-intrinsics"
// Check the arm64e defaults.
// RUN: %clang -target arm64e-apple-ios -c %s -### 2>&1 | FileCheck %s --check-prefix DEFAULT
// RUN: %clang -mkernel -target arm64e-apple-ios -c %s -### 2>&1 | FileCheck %s --check-prefix DEFAULT-KERN
// RUN: %clang -fapple-kext -target arm64e-apple-ios -c %s -### 2>&1 | FileCheck %s --check-prefix DEFAULT-KERN
// DEFAULT: "-fptrauth-intrinsics" "-target-cpu" "apple-a12"{{.*}}
// DEFAULT-KERN: "-fptrauth-intrinsics" "-target-cpu" "apple-a12"{{.*}}
// RUN: %clang -target arm64e-apple-ios -fno-ptrauth-intrinsics -c %s -### 2>&1 | FileCheck %s --check-prefix NOINTRIN
// NOINTRIN-NOT: "-fptrauth-intrinsics"
// NOINTRIN: "-target-cpu" "apple-a12"{{.*}}

clang/test/Modules/Inputs/ptrauth-include-from-darwin/module.modulemap

  • This file was added.
module libc [no_undeclared_includes] {
module stddef { header "stddef.h" export * }
}
module ptrauth {
header "ptrauth.h"
export *
}

clang/test/Modules/Inputs/ptrauth-include-from-darwin/ptrauth.h

  • This file was added.
void foo();

clang/test/Modules/Inputs/ptrauth-include-from-darwin/stddef.h

  • This file was added.
@import ptrauth;

clang/test/Modules/ptrauth-include-from-darwin.m

  • This file was added.
// RUN: rm -rf %t
// RUN: %clang_cc1 -fmodules-cache-path=%t -fmodules -fimplicit-module-maps -I %S/Inputs/ptrauth-include-from-darwin %s -verify
// expected-no-diagnostics
@import libc;
void bar() { foo(); }

clang/test/Preprocessor/ptrauth_feature.c

  • This file was added.
// RUN: %clang_cc1 %s -E -triple=arm64-- | FileCheck %s --check-prefixes=NOINTRIN
// RUN: %clang_cc1 %s -E -triple=arm64-- -fptrauth-intrinsics | FileCheck %s --check-prefixes=INTRIN
#if __has_feature(ptrauth_intrinsics)
// INTRIN: has_ptrauth_intrinsics
void has_ptrauth_intrinsics() {}
#else
// NOINTRIN: no_ptrauth_intrinsics
void no_ptrauth_intrinsics() {}
#endif

clang/test/Sema/ptrauth-intrinsics-macro.c

  • This file was added.
// RUN: %clang_cc1 -triple arm64-apple-ios -Wall -fsyntax-only -verify -fptrauth-intrinsics %s
// RUN: %clang_cc1 -triple arm64-apple-ios -Wall -fsyntax-only -verify %s
// expected-no-diagnostics
#include <ptrauth.h>
#define VALID_CODE_KEY 0
#define VALID_DATA_KEY 2
extern int dv;
void test(int *dp, int value) {
dp = ptrauth_strip(dp, VALID_DATA_KEY);
ptrauth_extra_data_t t0 = ptrauth_blend_discriminator(dp, value);
(void)t0;
dp = ptrauth_sign_unauthenticated(dp, VALID_DATA_KEY, 0);
dp = ptrauth_auth_and_resign(dp, VALID_DATA_KEY, dp, VALID_DATA_KEY, dp);
dp = ptrauth_auth_data(dp, VALID_DATA_KEY, 0);
int pu0 = 0, pu1 = 0, pu2 = 0, pu3 = 0, pu4 = 0, pu5 = 0, pu6 = 0, pu7 = 0;
ptrauth_blend_discriminator(&pu0, value);
ptrauth_auth_and_resign(&pu1, VALID_DATA_KEY, dp, VALID_DATA_KEY, dp);
ptrauth_auth_and_resign(dp, VALID_DATA_KEY, &pu2, VALID_DATA_KEY, dp);
ptrauth_auth_and_resign(dp, VALID_DATA_KEY, dp, VALID_DATA_KEY, &pu3);
ptrauth_sign_generic_data(pu4, dp);
ptrauth_sign_generic_data(dp, pu5);
ptrauth_auth_data(&pu6, VALID_DATA_KEY, value);
ptrauth_auth_data(dp, VALID_DATA_KEY, pu7);
int t2 = ptrauth_sign_generic_data(dp, 0);
(void)t2;
}

clang/test/Sema/ptrauth.c

  • This file was added.
// RUN: %clang_cc1 -triple arm64-apple-ios -fsyntax-only -verify -fptrauth-intrinsics %s
#if __has_feature(ptrauth_intrinsics)
#warning Pointer authentication enabled!
// expected-warning@-1 {{Pointer authentication enabled!}}
#endif
#if __aarch64__
#define VALID_CODE_KEY 0
#define VALID_DATA_KEY 2
#define INVALID_KEY 200
#else
#error Provide these constants if you port this test
#endif
#define NULL ((void*) 0)
struct A { int x; } mismatched_type;
extern int dv;
extern int fv(int);
void test_strip(int *dp, int (*fp)(int)) {
__builtin_ptrauth_strip(dp); // expected-error {{too few arguments}}
__builtin_ptrauth_strip(dp, VALID_DATA_KEY, dp); // expected-error {{too many arguments}}
(void) __builtin_ptrauth_strip(NULL, VALID_DATA_KEY); // no warning
__builtin_ptrauth_strip(mismatched_type, VALID_DATA_KEY); // expected-error {{signed value must have pointer type; type here is 'struct A'}}
__builtin_ptrauth_strip(dp, mismatched_type); // expected-error {{passing 'struct A' to parameter of incompatible type 'int'}}
int *dr = __builtin_ptrauth_strip(dp, VALID_DATA_KEY);
dr = __builtin_ptrauth_strip(dp, INVALID_KEY); // expected-error {{does not identify a valid pointer authentication key for the current target}}
int (*fr)(int) = __builtin_ptrauth_strip(fp, VALID_CODE_KEY);
fr = __builtin_ptrauth_strip(fp, INVALID_KEY); // expected-error {{does not identify a valid pointer authentication key for the current target}}
float *mismatch = __builtin_ptrauth_strip(dp, VALID_DATA_KEY); // expected-warning {{incompatible pointer types initializing 'float *' with an expression of type 'int *'}}
}
void test_blend_discriminator(int *dp, int (*fp)(int), int value) {
__builtin_ptrauth_blend_discriminator(dp); // expected-error {{too few arguments}}
__builtin_ptrauth_blend_discriminator(dp, dp, dp); // expected-error {{too many arguments}}
(void) __builtin_ptrauth_blend_discriminator(dp, value); // no warning
__builtin_ptrauth_blend_discriminator(mismatched_type, value); // expected-error {{blended pointer must have pointer type; type here is 'struct A'}}
__builtin_ptrauth_blend_discriminator(dp, mismatched_type); // expected-error {{blended integer must have integer type; type here is 'struct A'}}
float *mismatch = __builtin_ptrauth_blend_discriminator(dp, value); // expected-error {{incompatible integer to pointer conversion initializing 'float *' with an expression of type}}
}
void test_sign_unauthenticated(int *dp, int (*fp)(int)) {
__builtin_ptrauth_sign_unauthenticated(dp, VALID_DATA_KEY); // expected-error {{too few arguments}}
__builtin_ptrauth_sign_unauthenticated(dp, VALID_DATA_KEY, dp, dp); // expected-error {{too many arguments}}
__builtin_ptrauth_sign_unauthenticated(mismatched_type, VALID_DATA_KEY, 0); // expected-error {{signed value must have pointer type; type here is 'struct A'}}
__builtin_ptrauth_sign_unauthenticated(dp, mismatched_type, 0); // expected-error {{passing 'struct A' to parameter of incompatible type 'int'}}
__builtin_ptrauth_sign_unauthenticated(dp, VALID_DATA_KEY, mismatched_type); // expected-error {{extra discriminator must have pointer or integer type; type here is 'struct A'}}
(void) __builtin_ptrauth_sign_unauthenticated(NULL, VALID_DATA_KEY, 0); // expected-warning {{signing a null pointer will yield a non-null pointer}}
int *dr = __builtin_ptrauth_sign_unauthenticated(dp, VALID_DATA_KEY, 0);
dr = __builtin_ptrauth_sign_unauthenticated(dp, INVALID_KEY, 0); // expected-error {{does not identify a valid pointer authentication key for the current target}}
int (*fr)(int) = __builtin_ptrauth_sign_unauthenticated(fp, VALID_CODE_KEY, 0);
fr = __builtin_ptrauth_sign_unauthenticated(fp, INVALID_KEY, 0); // expected-error {{does not identify a valid pointer authentication key for the current target}}
float *mismatch = __builtin_ptrauth_sign_unauthenticated(dp, VALID_DATA_KEY, 0); // expected-warning {{incompatible pointer types initializing 'float *' with an expression of type 'int *'}}
}
void test_auth(int *dp, int (*fp)(int)) {
__builtin_ptrauth_auth(dp, VALID_DATA_KEY); // expected-error {{too few arguments}}
__builtin_ptrauth_auth(dp, VALID_DATA_KEY, dp, dp); // expected-error {{too many arguments}}
__builtin_ptrauth_auth(mismatched_type, VALID_DATA_KEY, 0); // expected-error {{signed value must have pointer type; type here is 'struct A'}}
__builtin_ptrauth_auth(dp, mismatched_type, 0); // expected-error {{passing 'struct A' to parameter of incompatible type 'int'}}
__builtin_ptrauth_auth(dp, VALID_DATA_KEY, mismatched_type); // expected-error {{extra discriminator must have pointer or integer type; type here is 'struct A'}}
(void) __builtin_ptrauth_auth(NULL, VALID_DATA_KEY, 0); // expected-warning {{authenticating a null pointer will almost certainly trap}}
int *dr = __builtin_ptrauth_auth(dp, VALID_DATA_KEY, 0);
dr = __builtin_ptrauth_auth(dp, INVALID_KEY, 0); // expected-error {{does not identify a valid pointer authentication key for the current target}}
int (*fr)(int) = __builtin_ptrauth_auth(fp, VALID_CODE_KEY, 0);
fr = __builtin_ptrauth_auth(fp, INVALID_KEY, 0); // expected-error {{does not identify a valid pointer authentication key for the current target}}
float *mismatch = __builtin_ptrauth_auth(dp, VALID_DATA_KEY, 0); // expected-warning {{incompatible pointer types initializing 'float *' with an expression of type 'int *'}}
}
void test_auth_and_resign(int *dp, int (*fp)(int)) {
__builtin_ptrauth_auth_and_resign(dp, VALID_DATA_KEY, 0, VALID_DATA_KEY); // expected-error {{too few arguments}}
__builtin_ptrauth_auth_and_resign(dp, VALID_DATA_KEY, dp, VALID_DATA_KEY, dp, 0); // expected-error {{too many arguments}}
__builtin_ptrauth_auth_and_resign(mismatched_type, VALID_DATA_KEY, 0, VALID_DATA_KEY, dp); // expected-error {{signed value must have pointer type; type here is 'struct A'}}
__builtin_ptrauth_auth_and_resign(dp, mismatched_type, 0, VALID_DATA_KEY, dp); // expected-error {{passing 'struct A' to parameter of incompatible type 'int'}}
__builtin_ptrauth_auth_and_resign(dp, VALID_DATA_KEY, mismatched_type, VALID_DATA_KEY, dp); // expected-error {{extra discriminator must have pointer or integer type; type here is 'struct A'}}
__builtin_ptrauth_auth_and_resign(dp, VALID_DATA_KEY, 0, mismatched_type, dp); // expected-error {{passing 'struct A' to parameter of incompatible type 'int'}}
__builtin_ptrauth_auth_and_resign(dp, VALID_DATA_KEY, 0, VALID_DATA_KEY, mismatched_type); // expected-error {{extra discriminator must have pointer or integer type; type here is 'struct A'}}
(void) __builtin_ptrauth_auth_and_resign(NULL, VALID_DATA_KEY, 0, VALID_DATA_KEY, dp); // expected-warning {{authenticating a null pointer will almost certainly trap}}
int *dr = __builtin_ptrauth_auth_and_resign(dp, VALID_DATA_KEY, 0, VALID_DATA_KEY, dp);
dr = __builtin_ptrauth_auth_and_resign(dp, INVALID_KEY, 0, VALID_DATA_KEY, dp); // expected-error {{does not identify a valid pointer authentication key for the current target}}
dr = __builtin_ptrauth_auth_and_resign(dp, VALID_DATA_KEY, 0, INVALID_KEY, dp); // expected-error {{does not identify a valid pointer authentication key for the current target}}
int (*fr)(int) = __builtin_ptrauth_auth_and_resign(fp, VALID_CODE_KEY, 0, VALID_CODE_KEY, dp);
fr = __builtin_ptrauth_auth_and_resign(fp, INVALID_KEY, 0, VALID_CODE_KEY, dp); // expected-error {{does not identify a valid pointer authentication key for the current target}}
fr = __builtin_ptrauth_auth_and_resign(fp, VALID_CODE_KEY, 0, INVALID_KEY, dp); // expected-error {{does not identify a valid pointer authentication key for the current target}}
float *mismatch = __builtin_ptrauth_auth_and_resign(dp, VALID_DATA_KEY, 0, VALID_DATA_KEY, dp); // expected-warning {{incompatible pointer types initializing 'float *' with an expression of type 'int *'}}
}
void test_sign_generic_data(int *dp) {
__builtin_ptrauth_sign_generic_data(dp); // expected-error {{too few arguments}}
__builtin_ptrauth_sign_generic_data(dp, 0, 0); // expected-error {{too many arguments}}
__builtin_ptrauth_sign_generic_data(mismatched_type, 0); // expected-error {{signed value must have pointer or integer type; type here is 'struct A'}}
__builtin_ptrauth_sign_generic_data(dp, mismatched_type); // expected-error {{extra discriminator must have pointer or integer type; type here is 'struct A'}}
(void) __builtin_ptrauth_sign_generic_data(NULL, 0); // no warning
unsigned long dr = __builtin_ptrauth_sign_generic_data(dp, 0);
dr = __builtin_ptrauth_sign_generic_data(dp, &dv);
dr = __builtin_ptrauth_sign_generic_data(12314, 0);
dr = __builtin_ptrauth_sign_generic_data(12314, &dv);
int *mismatch = __builtin_ptrauth_sign_generic_data(dp, 0); // expected-error {{incompatible integer to pointer conversion initializing 'int *' with an expression of type}}
}

llvm/docs/PointerAuth.md

Context not available.
signature checked. This prevents pointer values of unknown origin from being signature checked. This prevents pointer values of unknown origin from being
used to replace the signed pointer value. used to replace the signed pointer value.
For more details, see the clang documentation page for
[Pointer Authentication](https://clang.llvm.org/docs/PointerAuthentication.html).
At the IR level, it is represented using: At the IR level, it is represented using:
* a [set of intrinsics](#intrinsics) (to sign/authenticate pointers) * a [set of intrinsics](#intrinsics) (to sign/authenticate pointers)
Context not available.