Security researchers from the Massachusetts Institute of Technology (MIT) examined Apple’s M1 chip and discovered a hardware vulnerability. As the MIT Computer Science and Artificial Intelligence Laboratory reports, the vulnerability allows the chip’s “last line of defense” to be circumvented.
This line of defense is what is known as “Pointer Authentication”, a signature that confirms that the program’s state has not been maliciously altered. In this way, an attack that exploits a software bug can still be stopped, even if the software has been compromised.
The MIT team was able to circumvent this pointer authentication with a so-called “Pacman” attack. Since this is a hardware attack, no software patch can help.
Pacman uses a hardware side channel to guess the correct Pointer Authentication Code (PAC). Since there are only a certain number of possible values for the PAC, the researchers found that it is possible to try all possible values to find the right one.
Most importantly, the attack leaves no trace as all estimates are made as part of speculative execution.
“The idea behind pointer authentication is that it can be relied on when all else has failed to prevent attackers from gaining control of a system. We have shown that pointer authentication, as a last line of defense, is not so absolute is as we once thought,” says Joseph Ravichandran, MIT graduate student in Electrical and Computer Engineering and CSAIL member.
Just the last piece of the puzzle
However, the Pacman attack is not a magical bypass for all security measures on the M1 chip. One can just take advantage of an existing bug that pointer authentication protects against and unleash that bug’s potential for attack by finding the right PAC. There is no reason for “immediate concern,” say the scientists, since Pacman cannot compromise a system without an existing software bug.
Pointer authentication is primarily used to protect the kernel of the operating system, i.e. the most privileged part of a system. An attacker who gains control of the kernel can do anything they want on a device. The Pacman attack even works against the kernel, which “has massive implications for future security work on all ARM systems with activated pointer authentication,” says Ravichandran. “Prospective CPU designers should consider this attack if they want to build secure systems. Developers should be careful not to rely solely on pointer authentication to protect their software.”
It is not explained whether the vulnerability is also present in Apple’s new M2 processors. You can read more about the new chip and the devices equipped with it here.
If you would like to read more about cybercrime and cybersecurity, sign up for the Swisscybersecurity.net newsletter here. The portal provides daily news about current threats and new defense strategies.