LIPPEN: A Lightweight In-Place Pointer Encryption Architecture for Pointer Integrity

TL;DR

LIPPEN is a hardware-software co-designed pointer encryption system that enhances pointer integrity and confidentiality in C/C++ programs without metadata overhead, using full-pointer encryption and cryptographic binding.

Contribution

It introduces a full-pointer encryption architecture that maximizes entropy, improves security over existing in-place authentication methods, and maintains compatibility with existing PAC-enabled software.

Findings

LIPPEN provides comprehensive pointer protection with low runtime overhead.

It achieves security improvements by maximizing entropy and eliminating brute-force vulnerabilities.

Prototype implementation on FPGA shows negligible area and power overhead.

Abstract

Memory-safety violations in C and C++ programs continue to enable sophisticated exploitation techniques such as control-flow hijacking and data-oriented attacks. Existing hardware defenses either rely on address space layout randomization (ASLR) or attach explicit metadata to pointers to verify their integrity. External metadata schemes provide strong guarantees, but incur additional memory accesses and memory footprint overhead. In-place authentication mechanisms, such as ARM Pointer Authentication (PAC), achieve low overhead at the cost of limited entropy and susceptibility to brute-force and reuse attacks. This paper presents LIPPEN, a hardware-software co-design for full-pointer encryption that provides strong pointer integrity and confidentiality with zero metadata overhead. LIPPEN treats every pointer as an encrypted block, cryptographically binding it to its execution context and decrypting it transparently at dereference time. By re-purposing the entire 64-bit pointer field for encryption rather than preserving raw address bits, LIPPEN maximizes entropy, eliminates the brute-force weaknesses of truncated authentication codes, and maintains binary compatibility with existing PAC-enabled software. We prototype LIPPEN on FPGA using 64-bit RISC-V Rocket and BOOM cores, and evaluate it with microbenchmarks, nbench, and SPEC CPU2017. We compare against both an in-house RISC-V PAC implementation and Apple's PAC on the M1 processor. Across these workloads, LIPPEN provides comprehensive pointer protection with runtime overhead comparable to PAC-based schemes, while incurring negligible area and power overhead. These results show that LIPPEN is a practical design point for deploying strong pointer protection in real processors.