Brute-force resistant Pointer-Authentication using RISC-V co-processor
| dc.contributor.author | Peri, Lalit Prasad | en |
| dc.contributor.committeechair | Xiong, Wenjie | en |
| dc.contributor.committeemember | Wang, Haining | en |
| dc.contributor.committeemember | Hicks, Matthew | en |
| dc.contributor.department | Electrical and Computer Engineering | en |
| dc.date.accessioned | 2025-05-24T08:01:21Z | en |
| dc.date.available | 2025-05-24T08:01:21Z | en |
| dc.date.issued | 2025-05-23 | en |
| dc.description.abstract | Pointer authentication is a key hardware mechanism for mitigating memory safety attacks such as return-oriented and jump-oriented programming. In ARMv8.3-A, pointer authentication codes (PACs) are embedded in the upper bits in pointers using tweakable block ciphers like QARMA [1], but these 16-bit PAC space remains susceptible to brute-force attacks, particularly under speculative execution vulnerabilities such as PACMAN [2]. To overcome these limitations, this thesis proposes a pointer encryption scheme wherein the full 64-bit pointer is encrypted using low-latency block ciphers like PRINCEv2 [3]. This design has been realized as a tightly coupled hardware co-processor integrated via the Rocket Custom Coprocessor (RoCC) interface [4], supporting custom RISC-V instructions PTR_SEAL and PTR_UNSEAL for sealing and authenticating pointers at runtime. Benchmark evaluation is performed using SPEC CPU2017 and SPLASH-2, with binaries instrumented through a custom LLVM pass. Experiments are conducted on both a Verilator-based Rocket Chip simulation and a Xilinx VCU118 FPGA implementation. Results indicate that PAC instrumentation incurred a performance overhead of 1.3% to 5.8%, with average slowdowns consistently below 6% across platforms. These findings demonstrate that strong pointer protection can be integrated into RISC-V with minimal performance penalty, confirming the practicality of hardware-enforced pointer authentication. | en |
| dc.description.abstractgeneral | As cyber-security threats are escalating, and protecting the integrity of software is a growing priority for every industry. A common vulnerability involves attackers hijacking program behavior by tampering with memory addresses, or pointers. Current solutions, like those in commercial ARM processors, offer only partial protection—leaving systems exposed to brute-force attacks. Brute-Force resistant pointer-authentication delivers a stronger defense by encrypting the entire pointer, not just a fragment. Built as a hardware extension to the open-source RISCV processor, this method provides robust security with minimal performance cost. This innovation addresses a critical gap in today's hardware security and is well-positioned for adoption in sectors such as finance, IoT, autonomous systems, and secure cloud infrastructure. With growing demand for trusted computing, said approach offers a scalable path to next-generation secure processors. | en |
| dc.description.degree | Master of Science | en |
| dc.format.medium | ETD | en |
| dc.identifier.other | vt_gsexam:44011 | en |
| dc.identifier.uri | https://hdl.handle.net/10919/134208 | en |
| dc.language.iso | en | en |
| dc.publisher | Virginia Tech | en |
| dc.rights | In Copyright | en |
| dc.rights.uri | http://rightsstatements.org/vocab/InC/1.0/ | en |
| dc.subject | Pointer Authentication | en |
| dc.subject | Memory-Safety | en |
| dc.subject | Tweakable Block-Cipher | en |
| dc.subject | RISC-V | en |
| dc.subject | ISA | en |
| dc.subject | Co-Processor | en |
| dc.title | Brute-force resistant Pointer-Authentication using RISC-V co-processor | en |
| dc.type | Thesis | en |
| thesis.degree.discipline | Computer Engineering | en |
| thesis.degree.grantor | Virginia Polytechnic Institute and State University | en |
| thesis.degree.level | masters | en |
| thesis.degree.name | Master of Science | en |
Files
Original bundle
1 - 1 of 1