Apple M1 chips come with an “unpatchable” hardware vulnerability that could let attackers break through the last layer of security security, MIT researchers have discovered.
The issue is in a hardware-based security mechanism that is utilized within Apple M1 chips known as pointer authentication codes or PAC. This security feature makes it difficult for attackers to insert malicious code into the device’s memory . It also offers an additional layer of protection against buffer overflow vulnerabilities which is a form of attack that makes memory to spread onto other parts of the chip.
Researchers at the MIT’s Computer Science and Artificial Intelligence Laboratory However, they have developed a new hardware attack that blends memory corruption with speculation-based execution attacks to circumvent this security option. This attack demonstrates that pointer authentication is able to be overcome without leaving a trail because it uses hardware and no software patch will solve the issue.
It is dubbed “Pacman,” works by “guessing” a pointer authentication code (PAC) that is which is a cryptographic sign-off that proves that the app was not intentionally modified. This is accomplished by the speculative execution technique that is used by modern processors in computers to boost performance by guessing speculatively different computational lines — for leakage of PAC verification results. Lastly, an internal side-channel in hardware can reveal whether or not the prediction was accurate.
Additionally, because there are only a handful of possible options for the PAC, researchers found it possible to play around with them all until you discover the most suitable one.
In a proof of principle they demonstrated that the attack can even work against the kernel, the software that powers an operating system on a deviceand could have “massive implications for future security work on all ARM systems with pointer authentication enabled,” claims Joseph Ravichandran, a PhD student at MIT CSAIL and co-lead author of the research paper.
Apple is introduced pointer authentication in all of the custom-built ARM silicon thus to date including its Apple M1 chips, M1 Pro and M1 Max as well as several other chip makers, such as Qualcomm and Samsung and Samsung, have announced or are scheduled to launch new processors that support the security feature at the hardware level. MIT stated that it hasn’t yet tested the security feature on the M2 chip, which is still in development that also supports pointer authentication.
The team of researchers, who present their research findings Apple in a presentation to Apple this Pacman attack isn’t an “magic bypass” for all security measures on the M1 chip. It can only be used to exploit an existing vulnerability that protects against pointer authentication.
When contacted just prior to the publication date, Apple would not comment on the matter. Following release, Apple spokeswoman Scott Radcliffe stated: “We want to thank the researchers for their work because this proof of concept improves knowledge of the methods. Based on our research along with the information provided by the researchers, we’ve concluded that this issue doesn’t present a risk immediately for our users and does not have enough power to override operating system security safeguards by itself.”
In May of last year, a security researcher discovered a bug that was unfixable inside Apple’s M1 chipset that allows for a secret channel which two or more previously installed malicious programs could utilize to send information to one another. The bug was declared “harmless” as malware can’t make use of it to steal or alter the data stored in an Mac