Toward Register Spilling Security Using LLVM and ARM Pointer Authentication

Modern reduced instruction set computer processors are based on a load/store architecture, where all computations are performed on register operands. Compilers therefore allocate registers based on demand, and when occupancy is at maximum, register contents are spilled onto the stack and then retrieved later as data is needed. This phenomenon has security implications that cannot be ignored, as data on the stack is subject to well-known memory corruption attacks. Moreover, works presented so far are mainly targeting protection of pointers to code (e.g., return addresses), but are ineffective for protecting other context data in the stack. This article presents a security solution for spilled registers, generalizing the use of ARM pointer authentication (PA) for this purpose. The protection is enforced by the LLVM compiler via additional compiler passes and modifications. The solution provides guarantees for both integrity and confidentiality protection, and also addressing reuse attack problems associated with PA usage. Experimental data collected demonstrates the effectiveness of the solution against corruption and eavesdropping. We test our solution using SPEC CPU 2017, which confirms the functional viability of our solution. Additionally, we expose real-world performance overhead metrics of our protection design on a ARM-PA-enabled processor.