This work addresses the vulnerability of C/C++ programs to control-flow hijacking and data-oriented attacks stemming from memory safety flaws. Existing hardware-based defenses often suffer from either excessive metadata overhead or insufficient entropy, compromising their security guarantees. To overcome these limitations, the authors propose a hardware-software co-designed pointer protection mechanism that, for the first time, encrypts full 64-bit pointers without preserving any raw address bits, while binding them to the execution context. Pointers are transparently decrypted upon dereference, achieving both integrity and confidentiality with zero metadata overhead. Implemented on the RISC-V architecture, the design integrates in-place encryption/decryption logic and context binding, and has been validated via FPGA prototypes on Rocket and BOOM cores. Experimental results demonstrate runtime overhead comparable to ARM’s Pointer Authentication (PAC), with negligible area and power costs, offering strong security without sacrificing deployability.

Memory-safety violations in C and C++ programs continue to enable sophisticated exploitation techniques such as control-flow hijacking and data-oriented attacks. Existing hardware defenses either rely on address space layout randomization (ASLR) or attach explicit metadata to pointers to verify their integrity. External metadata schemes provide strong guarantees, but incur additional memory accesses and memory footprint overhead. In-place authentication mechanisms, such as ARM Pointer Authentication (PAC), achieve low overhead at the cost of limited entropy and susceptibility to brute-force and reuse attacks. This paper presents LIPPEN, a hardware-software co-design for full-pointer encryption that provides strong pointer integrity and confidentiality with zero metadata overhead. LIPPEN treats every pointer as an encrypted block, cryptographically binding it to its execution context and decrypting it transparently at dereference time. By re-purposing the entire 64-bit pointer field for encryption rather than preserving raw address bits, LIPPEN maximizes entropy, eliminates the brute-force weaknesses of truncated authentication codes, and maintains binary compatibility with existing PAC-enabled software. We prototype LIPPEN on FPGA using 64-bit RISC-V Rocket and BOOM cores, and evaluate it with microbenchmarks, nbench, and SPEC CPU2017. We compare against both an in-house RISC-V PAC implementation and Apple's PAC on the M1 processor. Across these workloads, LIPPEN provides comprehensive pointer protection with runtime overhead comparable to PAC-based schemes, while incurring negligible area and power overhead. These results show that LIPPEN is a practical design point for deploying strong pointer protection in real processors.