MIT researchers have discovered an unpatchable hardware vulnerability in Apple’s M1 chip that allows an attacker to bypass Pointer Authentication, one of M1’s defences against buffer overflow exploit attacks.
M1 chips have a hardware-level security mechanism called pointer authentication codes or PAC. The feature makes it extremely hard for an attacker to inject arbitrary code into a device’s memory.
Researchers at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have devised a new attack that combines memory corruption and speculative execution attacks to circumvent the security measure, as reported by TechCrunch.
The attack (PACMAN) works by guessing a PAC, an encrypted signature stating that a program hasn’t been altered maliciously. The PAC itself is guessed using speculative execution, a technique where a processor speeds up performance by speculatively guessing different lines of computation to leak PAC results, which are verified by a hardware side-channel.
The attack has successfully shown that pointer authentication can be evaded without any traces. Since the attack depends on a hardware mechanism, software patches can’t fix it either. Additionally, since PAC values are limited, the researchers found that the right one can be found by sheer brute force (trying all possible values).
What’s more, is that the attack also works against the macOS kernel which can have some pretty dire consequences on ARM systems featuring pointer authentication.
The entirety of Apple’s processor lineup — M1, M1 Pro, and M1 Max uses pointer authentication, including the newly released M2 chip. The attack hasn’t been tested against the M2 chip yet. Other chip manufacturers, including Qualcomm and Samsung, are also on track to release processors with pointer authentication soon, so it seems like this is going to be a big problem in the near future.
However, the researchers also pointed out that the PACMAN attack isn’t a bypass against all of M1’s security features. It only exploits an existing bug protected by pointer authentication. The vulnerability has been disclosed to Apple, and the research paper, titled “PACMAN: Attacking Arm Pointer Authentication with Speculative Execution”, is scheduled to be presented at the International Symposium on Computer Architecture in New York on June 18.