pith. sign in

arxiv: 2605.03974 · v1 · submitted 2026-05-05 · 💻 cs.CR · cs.AR

LIPPEN: A Lightweight In-Place Pointer Encryption Architecture for Pointer Integrity

Erfan Iravani , Lalit Prasad Peri , Mohannad Ismail , Charitha Tumkur Siddalingaradhya , Changwoo Min , Elif Bilge Kavun , Wenjie Xiong This is my paper

Pith reviewed 2026-05-07 03:10 UTC · model grok-4.3

classification 💻 cs.CR cs.AR
keywords pointerlippenoverheadauthenticationencryptionintegritymetadatastrong
0
0 comments X

The pith

LIPPEN encrypts entire 64-bit pointers with context binding for strong integrity and confidentiality, achieving zero metadata overhead and runtime costs comparable to PAC on FPGA prototypes of RISC-V cores.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

C and C++ programs often suffer from memory errors where attackers corrupt pointers to hijack program execution or alter data. Defenses like address randomization can be bypassed, while adding extra metadata to pointers for checks increases memory use and slows programs. ARM's Pointer Authentication adds a short code to pointers for verification but uses only part of the pointer bits, leaving it open to guessing attacks or code reuse. LIPPEN instead treats the whole pointer as an encrypted value. The hardware encrypts it when created and decrypts it automatically when the program accesses memory through it. The encryption key and context tie the pointer to its specific use, preventing tampering. This uses all available bits for security instead of reserving some for the raw address. The design keeps compatibility with software written for pointer authentication. The authors built working prototypes on FPGA boards using standard 64-bit RISC-V processor designs. They ran tests with small benchmarks, nbench, and the SPEC CPU2017 suite, comparing against their own pointer authentication implementation and real Apple M1 hardware. The results indicate similar speed impact to existing schemes but with stronger protection and almost no extra chip area or power draw.

Core claim

LIPPEN provides comprehensive pointer protection with runtime overhead comparable to PAC-based schemes, while incurring negligible area and power overhead.

Load-bearing premise

That full-pointer encryption with context binding resists all relevant attacks (brute-force, reuse, and implementation side-channels) and that transparent hardware decryption introduces no new correctness or timing vulnerabilities in real silicon.

read the original abstract

Memory-safety violations in C and C++ programs continue to enable sophisticated exploitation techniques such as control-flow hijacking and data-oriented attacks. Existing hardware defenses either rely on address space layout randomization (ASLR) or attach explicit metadata to pointers to verify their integrity. External metadata schemes provide strong guarantees, but incur additional memory accesses and memory footprint overhead. In-place authentication mechanisms, such as ARM Pointer Authentication (PAC), achieve low overhead at the cost of limited entropy and susceptibility to brute-force and reuse attacks. This paper presents LIPPEN, a hardware-software co-design for full-pointer encryption that provides strong pointer integrity and confidentiality with zero metadata overhead. LIPPEN treats every pointer as an encrypted block, cryptographically binding it to its execution context and decrypting it transparently at dereference time. By re-purposing the entire 64-bit pointer field for encryption rather than preserving raw address bits, LIPPEN maximizes entropy, eliminates the brute-force weaknesses of truncated authentication codes, and maintains binary compatibility with existing PAC-enabled software. We prototype LIPPEN on FPGA using 64-bit RISC-V Rocket and BOOM cores, and evaluate it with microbenchmarks, nbench, and SPEC CPU2017. We compare against both an in-house RISC-V PAC implementation and Apple's PAC on the M1 processor. Across these workloads, LIPPEN provides comprehensive pointer protection with runtime overhead comparable to PAC-based schemes, while incurring negligible area and power overhead. These results show that LIPPEN is a practical design point for deploying strong pointer protection in real processors.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper proposes LIPPEN, a hardware-software co-design that encrypts the entire 64-bit pointer in-place as ciphertext, cryptographically binding it to execution context for pointer integrity and confidentiality with zero metadata overhead. Pointers are decrypted transparently at dereference time. The design is prototyped on 64-bit RISC-V Rocket and BOOM cores on FPGA, evaluated with microbenchmarks, nbench, and SPEC CPU2017, and compared against an in-house RISC-V PAC implementation and Apple's PAC on the M1 processor. The central claim is that LIPPEN achieves comprehensive pointer protection with runtime overhead comparable to PAC schemes while incurring negligible area and power overhead, while maintaining binary compatibility with existing PAC-enabled software.

Significance. If the security properties and timing assumptions hold, LIPPEN represents a practical design point that maximizes entropy by repurposing the full pointer field rather than truncating authentication codes, avoiding both the memory-access overhead of external-metadata schemes and the brute-force/reuse weaknesses of PAC. The physical FPGA prototypes on Rocket/BOOM cores together with direct M1 comparisons constitute a concrete empirical strength, supplying reproducible performance and area data that can be directly compared to deployed hardware. These elements would make the work relevant to hardware security and memory-safety research if the load-bearing assumptions about constant-time decryption and context binding are substantiated.

major comments (3)
  1. [§5 (Evaluation)] §5 (Evaluation) and FPGA prototype description: The reported runtime, area, and power results support the performance claims relative to PAC baselines, but the evaluation does not include measurements of decryption latency variance, pipeline stall behavior, or handling of non-canonical addresses after decryption. These omissions directly affect the assertions of transparent decryption with negligible overhead and no new correctness or timing vulnerabilities.
  2. [Abstract and §3 (Design)] Abstract and §3 (Design): The manuscript asserts that full-pointer encryption with context binding resists brute-force, reuse, and implementation side-channel attacks, yet supplies no concrete attack evaluations, formal security arguments, or threat-model analysis. This is load-bearing for the central claim of strong integrity and confidentiality; the RISC-V and M1 comparisons address performance but not these security properties.
  3. [§4 (Implementation)] §4 (Implementation): The design assumes the decryption primitive is constant-time and integrates into the pipeline without stalls or new fault behaviors. No timing analysis, gate-level details, or canonical-address fault handling is provided beyond the high-level FPGA prototype, leaving open whether real-silicon behavior undermines the negligible-overhead claim.
minor comments (2)
  1. [§2 (Background)] Clarify in §2 how binary compatibility with PAC-enabled software is maintained when the entire pointer field is repurposed for encryption rather than preserving raw address bits.
  2. [§3 (Design)] Specify the exact encryption primitive (cipher, key schedule, and context-binding construction) with pseudocode or equations in §3 to allow independent assessment of entropy and reuse resistance.

Simulated Author's Rebuttal

3 responses · 1 unresolved

We thank the referee for the thorough and constructive review of our manuscript. We have carefully considered each major comment and revised the paper to strengthen the evaluation, add explicit security discussion, and provide additional implementation details where feasible. Our point-by-point responses follow.

read point-by-point responses

  1. Referee: §5 (Evaluation) and FPGA prototype description: The reported runtime, area, and power results support the performance claims relative to PAC baselines, but the evaluation does not include measurements of decryption latency variance, pipeline stall behavior, or handling of non-canonical addresses after decryption. These omissions directly affect the assertions of transparent decryption with negligible overhead and no new correctness or timing vulnerabilities.

    Authors: We acknowledge the value of these additional metrics. In the revised §5 we have incorporated cycle-accurate measurements of decryption latency variance across repeated runs on both Rocket and BOOM FPGA prototypes, demonstrating low and consistent latency with no observable stalls beyond standard memory pipeline behavior. We have also added an explicit description of non-canonical address handling: post-decryption addresses that violate canonical form trigger the existing RISC-V fault mechanism without introducing new exception paths or timing side effects. These additions directly support the claims of transparent, low-overhead decryption. revision: yes

  2. Referee: Abstract and §3 (Design): The manuscript asserts that full-pointer encryption with context binding resists brute-force, reuse, and implementation side-channel attacks, yet supplies no concrete attack evaluations, formal security arguments, or threat-model analysis. This is load-bearing for the central claim of strong integrity and confidentiality; the RISC-V and M1 comparisons address performance but not these security properties.

    Authors: We agree that an explicit threat model improves clarity. The revised §3 now contains a dedicated threat-model subsection that defines the attacker (arbitrary memory read/write but no access to per-process encryption keys or context state) and explains how full 64-bit encryption plus context binding (process ID, thread ID, and stack pointer) raises the bar for brute-force (full 64-bit entropy) and reuse attacks (context mismatch causes decryption to invalid addresses). We supply informal security arguments grounded in the properties of the underlying block cipher and constant-time implementation; we do not add new empirical attack campaigns, as these lie outside the scope of a hardware-architecture paper, but the performance results remain focused on overhead while the security claims are now explicitly justified. revision: partial

  3. Referee: §4 (Implementation): The design assumes the decryption primitive is constant-time and integrates into the pipeline without stalls or new fault behaviors. No timing analysis, gate-level details, or canonical-address fault handling is provided beyond the high-level FPGA prototype, leaving open whether real-silicon behavior undermines the negligible-overhead claim.

    Authors: The FPGA synthesis reports already contain gate-level timing data; we have expanded §4 to present these numbers explicitly, confirming fixed-latency decryption with no data-dependent variation under the evaluated clock constraints. Pipeline integration is documented via cycle-accurate simulation showing zero additional stalls. Canonical-address faults after decryption are routed through the existing RISC-V memory fault path, preserving original exception semantics. Because the prototype is FPGA-based, we cannot supply fabricated-silicon measurements; the FPGA results nevertheless provide concrete evidence that the negligible-overhead claim holds under realistic hardware conditions. revision: partial

standing simulated objections not resolved
  • Detailed real-silicon timing, power, and fault-injection behavior that cannot be observed on FPGA prototypes.

Circularity Check

0 steps flagged

No circularity: empirical hardware design evaluated on prototypes against external benchmarks

full rationale

The paper describes a hardware-software co-design for full-pointer encryption (LIPPEN), implemented via FPGA prototypes on RISC-V Rocket/BOOM cores, with runtime, area, and power measurements compared to an in-house PAC implementation and Apple's M1 PAC. No equations, fitted parameters, self-citations, or uniqueness theorems appear in the provided text. Claims of overhead comparability and negligible area/power rest on direct empirical measurements against independent external systems rather than any derivation that reduces to its own inputs by construction. The evaluation is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The design rests on standard cryptographic security assumptions and hardware implementation assumptions rather than new free parameters or invented entities.

axioms (2)
  • domain assumption Standard cryptographic primitives (encryption and context binding) provide the claimed resistance to brute-force and reuse attacks.
    Invoked implicitly when asserting stronger security than truncated PAC codes.
  • domain assumption Transparent hardware decryption at load/store time can be realized without introducing exploitable side channels or correctness errors.
    Required for the zero-overhead claim but not demonstrated in the abstract.

pith-pipeline@v0.9.0 · 5613 in / 1451 out tokens · 54420 ms · 2026-05-07T03:10:19.080428+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.