Researchers have found a vulnerability in Apple’s M1 processor that can be used to bypass protection against external attacks. However, the attack, dubbed Pacman by the discoverers, requires errors in the software so that it can be exploited.
Pacman basically affects all ARM processors with the security function Pointer Authentication Codes (PAC). Apple’s M1 is the most widespread CPU with this feature, Qualcomm introduces it with the Snapdragon 8cx Gen 3 notebook processor. Apple itself classifies the discovery as a proof of concept. According to a statement, there is no immediate danger for users.
According to researchers at the MIT Computer Science and Artificial Intelligence Laboratory, attackers do not need direct access to the hardware. In the test case, the computer was attacked from another room. So far, however, they are not aware that this attack technique has been used before. The researchers were already in contact with Apple in 2021 to share the findings. Another processor vulnerability in the M1 called Augury only became known at the beginning of May.
If successful, access to everything
The discovered attack circumvents the so-called Pointer Authentication Codes (PAC), a kind of protective layer intended to prevent software bugs from being exploited in order to extend access rights from user to kernel space. If successful, the kernel can be used to access any type of system data.
Since the Pacman attack targets the security function PAC, the discoverers chose Pac-Man for a logo.
This is how the attack works
A pointer is an object in a programming language that points to the appropriate addresses in RAM when the CPU accesses memory. Pointer authentication was introduced to prevent attackers from misusing this function for cross-program memory access. The system uses this to check whether access is permitted by comparing cryptographically encrypted signatures. The pointer authentication codes are an additional protective measure against attacks that ARM introduced with the architecture version ARMv8.3.
The researchers’ discovery shows that this protection is not very reliable. By speculatively executing the M1 and guessing all possible PAC values, they manage to overwrite the pointers. They can use a side channel to find out whether the guess attempt for the pointer access is successful or not. This is how they eventually get into kernel space and run code.
The vulnerability is anchored in the hardware and can only be repaired using software tricks. However, in any case, a software bug is required as a basis that enables memory corruption in order to advance to pointer authentication at all. Apple considers the security measures of the macOS operating system to be sufficient.
To home page
#Vulnerability #Apple #chip #Pacman #attack #bypasses #protection #layer