AD5026: EnableArmBTIMachO¶
Summary¶
| Property | Value |
|---|---|
| ID | AD5026 |
| Name | EnableArmBTIMachO |
| Category | Security |
| Severity | Warning |
| Applies to | Mach-O (macOS, iOS, ARM64) |
Description¶
ARM64 Mach-O binaries should enable Branch Target Identification (BTI) to prevent attackers from jumping to arbitrary code locations.
How It Works¶
The rule checks for BTI enablement:
- BTI landing pad instructions
- ARM64 binary flags
- Compiler BTI configuration
Why This Matters¶
BTI ensures indirect branches can only land on designated targets, preventing many exploitation techniques.
BTI on Apple Silicon¶
| Platform | BTI Support |
|---|---|
| M1/M2/M3 Macs | Yes |
| A12+ iOS devices | Yes |
| Older devices | No (graceful fallback) |
How BTI Works¶
; Without BTI - can jump anywhere
BR X0 → 0x12345678 ; Any address
; With BTI - must land on BTI instruction
BR X0 → 0x12345678 ; Must start with BTI
BTI C ; Valid landing pad
...code...
Combined with PAC¶
| Protection | Coverage |
|---|---|
| BTI only | Forward edges |
| PAC only | Returns |
| BTI + PAC | Complete CFI |
Apple's Implementation¶
Apple Silicon automatically supports BTI. Enable it at compile time:
Performance Considerations¶
BTI has near-zero overhead on Apple Silicon:
| Metric | Impact |
|---|---|
| Runtime overhead | <0.5% |
| Code size increase | 1-2% |
| Memory overhead | None |
Apple Silicon optimization: - M1/M2/M3 chips execute BTI validation in parallel with instruction decode - No pipeline stalls or additional memory accesses - Combined BTI + PAC overhead is approximately 1% on Apple Silicon
Resolution¶
Enable BTI for ARM64:
# BTI only
clang --target=arm64-apple-macos -mbranch-protection=bti program.c
# BTI + PAC (recommended)
clang --target=arm64-apple-macos -mbranch-protection=standard program.c
Xcode Settings¶
Add to "Other C Flags":