Researchers at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) in a new paper have exposed an “untraceable” hardware vulnerability in Apple’s most powerful chip to date, the M1.
The M1 chip implements a security feature called “Pointer Authentication”, which acts as the “last line of security” against memory corruption exploits on the M1 SoC.
For the unversed, Pointer authentication works by offering a special CPU instruction to add a cryptographic signature — or Pointer Authentication Code (PAC) — to unused high-order bits of a pointer before storing the pointer.
With Pointer Authentication enabled, bugs that normally could compromise a system or leak private information are stopped dead in their tracks.
Now, researchers from MIT’s CSAIL have designed a new attack dubbed “PACMAN”, which relies on a combination of software and hardware exploits, to defeat PAC. PACMAN allows attackers to prevent the M1 chip from detecting software vulnerabilities.
The team found out that the PACMAN attack can successfully guess the value of the PAC via a hardware side channel in order to pass pointer authentication, allowing hackers to access the computer. Since the attack exploits a hardware mechanism, there isn’t any trace left by PACMAN.
“The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system,” said MIT CSAIL We’ve shown that pointer authentication as a last line of defense isn’t as absolute as we once thought it was,” said MIT CSAIL Ph.D. student Joseph Ravichandran, a co-lead author of a new paper about PACMAN.
“When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks. With PACMAN making these bugs more serious, the overall attack surface could be a lot larger.”
So, how dangerous is the Apple M1 chip vulnerability? According to MIT researchers, there isn’t a reason to be worried now, as the PACMAN exploit does not bypass all security on the M1 chip. The attack can compromise the system only when it has an existing software bug.
Through the demonstration of the PACMAN attack on PAC, the research team showed that it has massive implications for future security work on all ARM systems with pointer authentication enabled.
“Future CPU designers should take care to consider this attack when building the secure systems of tomorrow. Developers should take care to not solely rely on pointer authentication to protect their software,” added Ravichandran.
The MIT researchers have disclosed their findings to Apple.
“We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own,” an Apple spokesperson told TechCrunch in a statement.
The researchers will be presenting their paper titled “PACMAN: Attacking Arm Pointer Authentication with Speculative Execution” at the International Symposium on Computer Architecture on June 18th.