New 'PacMan' flaw in Apple Silicon is an echo of Spectre and Meltdown
Researchers at MIT have discovered an unfixable vulnerability in Apple Silicon that could allow attackers to bypass a chip's "last line of defense" -- but most Mac users shouldn't be worried.
Apple M1 Chip
More specifically, the team at MIT's Computer Science & Artificial Intelligence Laboratory found that Apple's implementation of pointer authentication in the M1 system-on-chip can be overcome with a specific hardware attack they've dubbed "PACMAN."
Pointer authentication is a security mechanism in Apple Silicon that makes it more difficult for attackers to modify pointers in memory. By checking for unexpected changes in pointers, the mechanism can help defend a CPU if attackers gain memory access.
"The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system," said Joseph Ravichandran, one of the paper's co-authors.
Apple's M1 chip was the first commercially available processor to feature ARM-based pointer authentication. However, the MIT team has discovered a method leveraging speculative execution techniques to bypass pointer authentication.
The flaw comes into play when an attacker successfully guesses the value of a pointer authentication code and disables it. The researchers found that they could use a side-channel attack to brute-force the code.
PACMAN echoes similar speculative execution attacks like Spectre and Meltdown, which also leveraged microarchitectural side channels. Because it's a flaw in the hardware, it can't be fixed with a software patch.
The PACMAN vulnerability itself can't bypass the security mechanisms on a Mac. Instead, the flaw could make other exploits or attacks more serious and expand the overall attack surface.
The flaw affects all kinds of ARM-based chips -- not just Apple's. The vulnerability is more of a technological demonstration of a wider issue with pointer authentication in ARM chips, rather than an issue that could lead to your Mac getting hacked.
"Future CPU designers should take care to consider this attack when building the secure systems of tomorrow," said Ravichandran. "Developers should take care to not solely rely on pointer authentication to protect their software."
Read on AppleInsider
Apple M1 Chip
More specifically, the team at MIT's Computer Science & Artificial Intelligence Laboratory found that Apple's implementation of pointer authentication in the M1 system-on-chip can be overcome with a specific hardware attack they've dubbed "PACMAN."
Pointer authentication is a security mechanism in Apple Silicon that makes it more difficult for attackers to modify pointers in memory. By checking for unexpected changes in pointers, the mechanism can help defend a CPU if attackers gain memory access.
"The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system," said Joseph Ravichandran, one of the paper's co-authors.
Apple's M1 chip was the first commercially available processor to feature ARM-based pointer authentication. However, the MIT team has discovered a method leveraging speculative execution techniques to bypass pointer authentication.
The flaw comes into play when an attacker successfully guesses the value of a pointer authentication code and disables it. The researchers found that they could use a side-channel attack to brute-force the code.
PACMAN echoes similar speculative execution attacks like Spectre and Meltdown, which also leveraged microarchitectural side channels. Because it's a flaw in the hardware, it can't be fixed with a software patch.
The PACMAN vulnerability itself can't bypass the security mechanisms on a Mac. Instead, the flaw could make other exploits or attacks more serious and expand the overall attack surface.
Who's at risk and how to protect yourself
The researchers note that no attacks currently leverage the PACMAN flaw and it isn't a "magic bypass for all security on the M1 chip." Instead, it can only take an existing bug that pointer authentication protects against and "unleash" its true potential.The flaw affects all kinds of ARM-based chips -- not just Apple's. The vulnerability is more of a technological demonstration of a wider issue with pointer authentication in ARM chips, rather than an issue that could lead to your Mac getting hacked.
"Future CPU designers should take care to consider this attack when building the secure systems of tomorrow," said Ravichandran. "Developers should take care to not solely rely on pointer authentication to protect their software."
Read on AppleInsider
Comments
But right above this line it says that the M1 is the first commercially available ARM based chip that offers the feature the flaw was found in. In the last year have other ARM chips become commercially available with this pointer protection feature?
Also, chips without the feature don't have the protection in the first place, so it stands to reason that all other ARM chips are by default equivalent to having this exploit by default exploited.
As far as ARM chips that don't support pointer authentication are concerned, they are no more or less vulnerable to pointer related exploits as they were prior to the PACMAN discovery, but they are not exploitable by the PACMAN mechanism. There is a big difference. Any kind of pointer related exploit always runs the risk of being sussed out or revealed by virtue of it causing the attacked program to crash. The PACMAN attack takes advantage of two vulnerabilities to allow the attacker to use brute force techniques to discover the protected pointer (the secret) value without crashing the program. Normally, you would expect any authentication protocol to catch anyone trying to guess the secret, as Apple does with device logins, so coming up with a way to neuter that added layer of protection is a big deal.
The attacker has to set up a lot of non-trivial scaffolding to implement a PACMAN attack, but this team at MIT has demonstrated that it is possible.
” More than that, actually carrying out the PACMAN attack requires physical access to a device, meaning the average Mac user isn't going to be at risk of exploit.”
https://pacmanattack.com
https://pacmanattack.com/paper.pdf
"Does this attack require physical access?
This is to circumvent a protection used to stop other attacks. So they have to get native code with memory access onto the device, use this attack successfully to bypass the protection, then run a different attack to do some damage. Getting native code onto a device in the first place would allow someone to do all kinds of damage anyway.
Security researchers get all excited about this stuff because they are stuck in a room all day testing these things but the results are mainly of interest to other security people. Apple commented on it with the following statement:
"Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own."