Pacman: the exploit that affects Apple’s M1 chips that cannot be patched at the hardware level

The apple m1 chip they are the first family of Apple chips that represent the company’s transition to chips based on ARM cores, which it has already mounted in several models of its devices. One of its most important points, in addition to performance, is security. In fact, in its design, Apple created several layers of security, and each one of them is designed to protect the chip, and therefore the device, from an attacker who has already succeeded in penetrating the previous ones. Its final layer is a security feature known as PAC, and it should be the ultimate in security on these chips. But according to Macworld it has already been compromised by a hardware vulnerability known as PACMAN.

This vulnerability is a hardware attack that allows you to bypass Authentication using pointersthe aforementioned PAC, of the M1 chipsand exploits a current software bug to make this jump, which can lead to arbitrary code execution on your computer.

To discover this attack, the security researchers who studied it, from MIT CSAIL, used an existing concept of the Specter vulnerability, as well as its application in x86 environments. The researchers carried out the attack remotely, albeit in a controlled environment, and demonstrated that it works if the attacker has permission to execute code without privileges.

PACMAN acts on hardware and software, and exploits the microarchitecture-level construction of the chip to execute code in arbitrary ways. The exploit creates a function that is responsible for checking if a particular pointer matches its authentication. This never stops if an incorrect option is submitted.

The attack, on the other hand, brute-forces all possible values ​​for the PAC using the function and attempts to speculatively load the pointer into translation-ahead buffers, or TLBs. These are filled with minimal addresses needed to serve a particular TSB section. If any address in the TLB is ejected, a load success is likely, and the bug can take its place with a falsely authenticated memory address.

Apple is aware of this issue, and the researchers who discovered it have been talking to the company about it since 2021. Keeping your software up-to-date to avoid security issues is a must, as these memory corruption bugs are patchable. Of course, the hardware part of this exploit cannot be patched due to a problem that affects ARM processors that use Pointer Authentication, and not just the M1.

That’s why, Joseph Ravichandran, one of the authors of the study that explains how PACMAN operateshas underlined that «CPU designers of the future should take this attack into account when developing the secure systems of the future. Developers should be careful not only that pointer authentication protects their software«. Because PACMAN shows that pointer authentication is not completely foolproof, so developers shouldn’t rely solely on it.

However, since for These types of exploits need both their software bug and their hardware bug to work.users will have nothing to worry about, since the software exploit does have a patchwhich disables PACMAN from working.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *