IAR Embedded Workbench for Arm supports branch protection—the Pointer Authentication and Branch Target Identification extension (PACBTI) for Armv8.1-M—for cores and devices that support it. To enable branch protection, use the compiler option ‑‑branch protection, see ‑‑branch_protection.

PACBTI protects against two types of security exploits, called Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP). Both these attacks use existing pieces of code in the user application. The attacker takes control of the call stack using, for example, stack smashing, and then overwrites the pointers stored on the stack to point to existing vulnerable pieces of code the attacker has identified as useful. The attacker can use this to increase the operating privileges and take full control of the system.

Pointer authentication creates a cryptographic signature of a pointer and stores it in a register separate from the pointer. The return address is then authenticated using this signature before returning.

The second type of attack, Jump-Oriented Programming (JOP), works in a similar fashion. In an ROP attack, the attacker scans the software stack for pieces of code to exploit, looking for sequences that end in a function return. JOP, on the other hand, attacks target code sequences that end in other forms of indirect branches, like function pointers, exploiting the fact that BL or B instructions can target any executable address, and not just the addresses you have defined as entry points.

To protect against JOP attacks, the instruction set includes Branch Target Identification instructions (BTIs). If the target of an indirect branch is not a BTI instruction, a Branch Target Exception is generated.