Enable pointer authentication on ARM64

[jgowdy]

What is the problem this feature will solve?

ARM64v8.3 supports Pointer Authentication with the PACIASP and AUTIASP instructions which are interpreted as NOP instructions on pre 8.3 architectures. These instructions sign the stack pointer and validate the stack pointer prior to return to mitigate return oriented programming.

GCC supports these options on arm64 / aarch64. The legacy option was -msign-return-address=[all | non-leaf | none] and the modern option is -mbranch-protection=none|standard|pac-ret[+leaf+b-key]|bti

I would like to suggest that the arm64 build be modified to include -mbranch-protection=pac-ret with the -march being set to ARMv8.2 or earlier or not configured, so that GCC will generate PACIASP and AUTIASP instructions. It is critical that -march=armv8.3 or higher not be passed or the non-backwards compatible RETAA instruction will be generated.

What is the feature you are proposing to solve the problem?

The benefit of enabling pointer authentication for the stack pointer on ARM64 would be to mitigate return oriented programming attacks against the Node.js runtime.

What alternatives have you considered?

Presently we are pursuing custom compiles of the Node.js runtime for the new Graviton3 CPUs that support pointer authentication in AWS.

[RaisinTen]

Will this affect performance?
What will happen if this setting is enabled and someone still attempts to take advantage of an already present buffer overflow?

[jgowdy]

The performance impact is very small, we've had difficulty measuring it versus variance in runs of our benchmark suite. It's an additional assembly language instruction at the beginning and end of each method that does a small amount of math in hardware. If the CPU doesn't support PAC, the instructions are treated as NOPs.

If the stack pointer is modified by an attacker, when the function is about to return it executes the AUTIASP instruction which will detect the modified stack pointer and the process will signal and abort.

[RaisinTen]

Hmm, I don't immediately see any problem with enabling this. Would you like to send a PR? We could have more reviews there.

[nxhack]

This modification results in an error in the case of cross-compilation. (#43200)

'host_arch': 'x64'
'target_arch': 'arm64',

g++: error: unrecognized command line option '-msign-return-address=all'

[josh-hemphill]

Is there a workaround for this unrecognized command line option '-msign-return-address=all' error?

[bnoordhuis]

Untested, but #45756 hopefully fixes it. Please test.

[github-actions]

There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment.

For more information on how the project manages feature requests, please consult the feature request management document.

[github-actions]

There has been no activity on this feature request and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment.

For more information on how the project manages feature requests, please consult the feature request management document.