Researchers at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) discovered a security flaw on Apple M1 chips. Creating a mixed attack known as PACMAN, They overcame Apple Silicon’s last line of defense undetected and there is no software patch that can fix it.
Failure is found in the Pointer Authentication Code (PAC), a security mechanism that protects the system against memory corruption vulnerabilities. This technology assigns a cryptographic signature to the pointer values that is validated before use. This prevents an attacker from modifying pointers to manipulate objects in the system or leak private information.
CSAIL researchers created PACMAN, an attack that uses speculative execution to try to guess the value of the PAC. This technique is used by processors to speed up performance by guessing calculation lines. PACMAN filters the values and performs a verification through a hardware channel without being detected. Since there are only a limited number of values, it is possible to try them all until you discover the correct PAC.
PACMAN is a blended attack that breaks a mitigation to protect software using a hardware offensive. Although there is no way to patch itthe CSAIL mentioned that there is no reason to be alarmed.
PACMAN can only take an existing bug that pointer authentication protects against and unleash the true potential of that bug to use in an attack by finding the right PAC. You can’t compromise a system without an existing software bug.
PACMAN is a wake-up call to Apple and other hardware manufacturers
Yes ok users with M1 chip devices should not worry, the creation of PACMAN is a wake-up call to Apple and other processor manufacturers. “Future CPU designers should be careful to consider this attack when building tomorrow’s secure systems,” said Joseph Ravichandran, co-creator of PACMAN. The CSAIL researcher also warned software developers not to rely on pointer authentication alone as a security measure.
Although pointer authentication is efficient in preventing an attacker from gaining control of a Mac with M1, it is not a perfect solution. The measure was implemented in ARM 8.3 and protects users from exploit that try to trick the device into executing malicious code. By not having a key to create the cryptographic signatures, it will be difficult for the hacker to create valid pointers.
Pointer Authentication makes it difficult to create attacks zero click where no user interaction is required. However, the creation of PACMAN confirms that this security measure is not as absolute as once thought. The CSAIL researchers said that this attack is the starting point to study other mitigation mechanisms and announced that they will present the study during the International Symposium on Computer Architecture in a week.
For its part, Apple thanked MIT for its work and reassured its users. Scott Radcliffe, a spokesman for Apple, told TechCrunch Based on their analysis, they concluded that this flaw is insufficient to bypass operating system protections on its own, so there is no immediate risk to those who own a Mac with an M1 chip.