Windows ARM64 Internals: Deconstructing Pointer Authentication
a day ago
- #Windows Security
- #ARM
- #Memory Protection
- Pointer Authentication Code (PAC) is an ARM feature that signs pointers to validate their use at runtime, available on Armv8.3-A and later architectures.
- PAC leverages unused bits in 64-bit pointers (bits 48-63) to store cryptographic signatures, differentiating user-mode and kernel-mode addresses.
- Windows implements PAC starting from the kernel entry point (KiSystemStartup), initializing PAC support and signing keys via the loader parameter block.
- PAC on Windows is enabled per-process, with each process having its own signing key, and is managed through registry settings and feature flags.
- Windows uses PAC primarily for signing return addresses (instruction pointers) to protect against return-oriented programming (ROP) attacks.
- Secure Kernel (HyperGuard) protects PAC key registers from unauthorized modifications, enhancing security against kernel exploits.
- PAC violations result in specific crash codes (e.g., FAST_FAIL_POINTER_AUTH_INVALID_RETURN_ADDRESS) for both user-mode and kernel-mode.
- Future expansions of PAC could include Memory Tagging Extension (MTE) for additional memory corruption protections.