Apple’s M1 chips have a “bad” hardware vulnerability that could allow attackers to break their last line of security defenses, MIT researchers have found.
The vulnerability lies in a hardware-level security mechanism used in Apple M1 chips called pointer authentication codes or PACs. This feature makes it much more difficult for an attacker to inject malicious code into a device’s memory and provides a level of defense against buffer overflow exploits, a type of attack that forces memory to spill. to other chip locations.
Researchers at MIT’s Computer Science and Artificial Intelligence Laboratory, however, have created a new hardware attack, combining memory corruption and speculative execution attacks to bypass the security feature. The attack shows that pointer authentication can be defeated without a trace, and because it uses a hardware mechanism, no piece of software can fix it.
The attack, aptly named “Pacman,” works by “guessing” a pointer authentication code (PAC), a cryptographic signature that confirms that an application has not been maliciously tampered with. This is done through speculative execution, a technique used by modern computer processors to speed up performance by speculatively guessing various lines of calculation, to filter the results of PAC verification, while a hardware side channel reveals whether the conjecture was correct or not.
Also, since there are only so many possible values for the CAP, the researchers found that it is possible to test them all to find the right one.
In a proof of concept, the researchers showed that the attack even works against the kernel, the software kernel of a device’s operating system, which has “massive implications for future security work on all ARM systems. with pointer authentication enabled, “says Joseph Ravichandran. a doctorate. MIT CSAIL student and lead co-author of the research paper.
“The idea behind pointer authentication is that if everything else has failed, you can still rely on it to prevent attackers from taking control of your system,” Ravichandran added. “We’ve shown that pointer authentication as the last line of defense isn’t as absolute as we thought before.”
So far, Apple has implemented pointer authentication on all of its custom ARM-based silicon, including the M1, M1 Pro, and M1 Max, and several chip makers, including Qualcomm and Samsung, have announced or are expected to ship new processors compatible with the hardware security feature. MIT said it has not yet tested the attack on Apple’s unreleased M2 chip, which also supports pointer authentication.
“If not mitigated, our attack will affect most mobile devices, and probably even desktop devices in the coming years,” MIT said in the research paper.
The researchers, who presented their findings to Apple, noted that the Pacman attack is not a “magic bypass” for all the security of the M1 chip and can only take an existing error against which it protects the authentication of the punter.
When it arrived before the release, Apple did not comment on the record. Following the release, Apple spokesman Scott Radcliffe said: “We would like to thank the researchers for their cooperation, as this proof of concept advances our understanding of these techniques. “In our analysis and in the details shared with us by the researchers, we have concluded that this problem does not pose an immediate risk to our users and is insufficient to bypass the security protections of the operating system alone.”
In May last year, a developer discovered an irreparable flaw in Apple’s M1 chip that creates a covert channel that two or more already installed malicious applications could use to transmit information between them. But in the end, the error was considered “harmless” because the malware cannot use it to steal or interfere with data on a Mac.
Updated with Apple’s comment on the log.