Skip to content

Signed pointers

So those real hackers keep telling me that back then in the times of the LISP machine they had tagged pointers and stuff.

Those pesky mobile Whizkids at Qualcomm could not let that stand, so they created signed pointers for ARM 8.3. Two families of new instructions have been made, one for signing pointers, the other for checking the signature. How does that work? The PDF at Qualcomm describes the details.

Basically, when pushing a return address onto the stack on subroutine call, that pointer is authenticated with a PAC* instruction, on return that pointer is checked with an AUT* instruction. The actual RET will fail with an address violation if the pointer has been messed with. PAC* and AUT* are out of NOP space, so they can be executed as NOPs on older CPUs.

PAC* signs the return address, AUT* checks it. On pre-8.3 CPUs, they decode as NOP instructions. RETing to an address that does not AUT is an illegal address exception.

A 64 bit pointer in an 40 bit cellphone processor is good for 24 bit signatures, but other partitions are possible depending on address space layout and size.

Published inComputer ScienceHackerterrorcybercyber


  1. Kris Koehntopp Kris Koehntopp

    The above functionality must be seen in the context of

    »while the MPU is initialised, it is effectively set to mark all of memory as RWX, making it useless. This saves us some hassle… We can conveniently execute our code directly from the heap. […] Once the timer expires, our code will be executed on the firmware!«


    »We’ve seen that while the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security. Specifically, it lacks all basic exploit mitigations – including stack cookies, safe unlinking and access permission protection (by means of an MPU).«

    This will change in future versions of the Wifi SOC, says Broadcom.

Leave a Reply

Your email address will not be published. Required fields are marked *