The vulnerability lies in a hardware-level security mechanism used on Apple M1 chips called pointer authentication codes, or PACs. This feature makes it much harder for an attacker to insert malicious code into a device’s memory and provides a level of defense against buffer overflows, a type of attack that forces memory to spread to other locations on the chip. Researchers at MIT’s Computer Science and Artificial Intelligence Laboratory, however, have created a new hardware attack that combines memory corruption and speculative execution attacks to circumvent the security feature. The attack shows that pointer authentication can be canceled without leaving a trace and as it uses a hardware mechanism, no software patch can fix it. The attack, aptly named “Pacman”, works by “guessing” a pointer authentication code (PAC), a cryptographic signature that confirms that an application has not been maliciously modified. This is done using speculative execution – a technique used by modern computer processors to speed up performance by speculatively guessing various computational lines – to leak PAC verification results, while a side hardware channel reveals whether the guess was correct or not. In addition, since there are so many potential values for PAC, the researchers found that it is possible to test them all to find the right one. In a demonstration of the idea, researchers have shown that the attack works even against the kernel – the software kernel of a device’s operating system – which has “huge implications for future security work on all ARM systems with pointer-enabled authentication”. says Joseph Ravichandran. a Ph.D. student at MIT CSAIL and co-author of the research paper. “The idea behind pointer authentication is that if all else fails, you can still rely on it to prevent intruders from gaining control of your system,” Ravichandran added. “We have shown that index authentication as a last line of defense is not as absolute as we once thought.” Apple has implemented pointer authentication throughout its ARM-based custom silicon so far, including the M1, M1 Pro and M1 Max, and several other chip makers, such as Qualcomm and Samsung, have either announced or are expected to ship new processors that support the hardware-level security feature. MIT said it had not yet tested the attack on Apple’s non-released M2 chip, which also supports pointer authentication. “If left unchecked, our attack will affect most mobile devices, and possibly even desktops in the coming years,” MIT said in a research paper. The researchers – who presented their findings to Apple – noted that the Pacman attack is not a “magic bypass” for all security on the M1 chip and can only address an existing bug that pointer authentication protects against. When it arrived before the release, Apple did not comment on the file. Following the publication, Apple spokesman Scott Radcliffe said: “We want to thank the researchers for their cooperation, as this proof of the idea promotes our understanding of these techniques. “Based on our analysis and the details that the researchers shared with us, we have concluded that this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.” In May of last year, a developer discovered an irreparable flaw in Apple’s M1 chip that creates a hidden channel that two or more pre-installed malware could use to transmit information to each other. However, the error was eventually deemed “harmless”, as the malware could not use it to steal or interfere with data on a Mac. Updated by a comment from Apple.
