According to MIT researchers, Apple’s M1 chips contain a “unpatchable” hardware vulnerability that might allow attackers to bypass the company’s last line of defense.
A hardware-level security method used in Apple M1 processors called pointer authentication codes, or PAC, is the source of the problem. This feature makes it far more difficult for an attacker to introduce malicious code into a device’s memory, and it also protects against buffer overflow vulnerabilities, which cause memory to spill out to other parts of the chip.
However, researchers at MIT’s Computer Science and Artificial Intelligence Laboratory have devised a new hardware attack that combines memory corruption and speculative execution assaults to circumvent the security mechanism. The attack demonstrates how pointer authentication may be beaten without leaving a trace, and because it relies on a hardware mechanism, there is no software patch available to correct it.
Pointer Authentication Code
The “Pacman” attack works by guessing a pointer authentication code (PAC), a cryptographic signature that verifies that an app hasn’t been maliciously updated. This is accomplished by leaking PAC verification findings via speculative execution — a method utilised by modern computer processors to improve efficiency by speculatively guessing certain lines of computation — while a hardware side-channel indicates whether or not the guess was right.
What The Experts Says?
Furthermore, because the PAC has only a limited number of possible values, the researchers discovered that it is possible to try all of them to identify the best one.
The researchers demonstrated that the attack works against the kernel, which has “huge ramifications for future security work on all ARM systems with pointer authentication enabled,” according to Joseph Ravichandran, a PhD student at MIT CSAIL and co-lead author of the research paper.