Brute-force resistant Pointer-Authentication using RISC-V co-processor

Abstract

Pointer authentication is a key hardware mechanism for mitigating memory safety attacks such as return-oriented and jump-oriented programming. In ARMv8.3-A, pointer authentication codes (PACs) are embedded in the upper bits in pointers using tweakable block ciphers like QARMA [1], but these 16-bit PAC space remains susceptible to brute-force attacks, particularly under speculative execution vulnerabilities such as PACMAN [2]. To overcome these limitations, this thesis proposes a pointer encryption scheme wherein the full 64-bit pointer is encrypted using low-latency block ciphers like PRINCEv2 [3]. This design has been realized as a tightly coupled hardware co-processor integrated via the Rocket Custom Coprocessor (RoCC) interface [4], supporting custom RISC-V instructions PTR_SEAL and PTR_UNSEAL for sealing and authenticating pointers at runtime. Benchmark evaluation is performed using SPEC CPU2017 and SPLASH-2, with binaries instrumented through a custom LLVM pass. Experiments are conducted on both a Verilator-based Rocket Chip simulation and a Xilinx VCU118 FPGA implementation. Results indicate that PAC instrumentation incurred a performance overhead of 1.3% to 5.8%, with average slowdowns consistently below 6% across platforms. These findings demonstrate that strong pointer protection can be integrated into RISC-V with minimal performance penalty, confirming the practicality of hardware-enforced pointer authentication.