MIT researchers have discovered a vulnerability in Apple’s M1 chips that can potentially never be fixed.
This is a serious issue since this could allow attackers to break through the chips’ last line of security defences.
What Is PAC?
The exploit has to do with a hardware-level security mechanism called pointer authentication codes or PAC.
This mechanism prevents an attacker from injecting malicious code into a device’s memory.
It also guards against buffer overflow exploits, which is a form of attack that forces memory to leak into other locations of the chip and acts as the last line of defence.
Using Attack To Detect Vulnerability
The researchers created a novel hardware attack called PACMAN that combines memory corruption and speculative execution to guess the value of a PAC using a hardware device.
PAC is a kind of signature that confirms that an app hasn’t been maliciously altered.
There are many possible values of a PAC, but with a device that reveals whether a guess is correct or false, one can try them all until they nail the right one.
This means that pointer authentication can be defeated without leaving a trace.
Since this is a hardware-level attack, it cannot be fixed by software patches and could remain unfixed.
Joseph Ravichandran, a PhD student at MIT CSAIL explained, “The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system.”
The researchers have shown that pointer authentication as a last line of defence isn’t as absolute as it was thought to be.
Work Against The Kernel
They also demonstrated that the attack even works against the kernel — the software core of a device’s operating system by giving potential hackers access to the sensitive parts of a system.
An attacker who gains control of the kernel can do whatever they’d like on a device.
Ravichandran says that this has “massive implications for future security work on all ARM systems with pointer authentication enabled.”
He advised that developers should not solely rely on pointer authentication to protect their software.
More Devices In Danger?
Apple has PAC enabled on all its M1 chips so far including the M1, M1 Pro and M1 Max.
Other chip manufacturers, including Samsung along with Qualcomm, are expected to introduce new chips which support PAC.
MIT said that it has not tested the exploit on Apple’s M2 chip, which also has PAC enabled.
It said in the research paper that if this exploit is not mitigated, it will affect the majority of mobile devices, and likely even desktop devices in the coming years.
There are three methods for preventing such an attack in the future.
One– modify the software so PAC verification results are never done under speculation.
Two– defend against PACMAN in the same way Spectre vulnerabilities are being mitigated.
(Spectre-based attacks trick a program into accessing arbitrary locations in a program’s memory space.
This allows an attacker to read the content of the accessed memory, and thus potentially obtain sensitive data)
Three– patch memory corruption bugs which would ensure this last line of defence isn’t needed.
The researchers presented their findings to Apple.
Apple spokesperson Scott Radcliffe said that the company appreciates the work and that it advances its understanding of these techniques.
Based on its analysis and the MIT data, Apple has concluded that this issue does not pose an immediate risk to its users and is “insufficient to bypass operating system security protections on its own.”