MIT researchers discover ‘irreparable’ flaw in Apple M1 chips

Apple’s M1 chips have an “unpatched” hardware vulnerability that could allow attackers to get past your last line of security defenses, MIT researchers have found. The vulnerability lies in a hardware-level security mechanism used in Apple M1 chips called Pointer Authentication Codes, or PACs. This feature makes it much more difficult for an attacker to inject malicious code into a device’s memory and provides a level of defense against buffer overflow exploits, a type of attack that forces memory to spill to other locations on the device. chip. Researchers at the MIT Computer Science and Artificial Intelligence Laboratory, however, have created a new hardware attack, which combines memory corruption and speculative execution attacks to bypass the security feature. The attack shows that pointer authentication can be bypassed without a trace, and since it uses a hardware mechanism, no software patch can fix it. The attack, appropriately named “Pacman,” works by “guessing” a Pointer Authentication Code (PAC), a cryptographic signature that confirms that an application has not been maliciously altered. This is done using speculative execution, a technique used by modern computer processors to speed up performance by speculatively guessing multiple lines of computation, to filter the PAC check results while a hardware side channel reveals whether the guess was correct. or not. Also, since there are only a limited number of possible values ​​for the PAC, the researchers found that it is possible to try them all to find the correct one. In a proof of concept, the researchers showed that the attack even works against the kernel, the software core of a device’s operating system, which has “massive implications for future security work on all ARM systems with pointer authentication.” enabled,” says Joseph Ravichandran, a Ph.D. student at MIT CSAIL and co-senior author of the research paper. “The idea behind pointer authentication is that if all else has failed, you can still rely on it to prevent attackers from gaining control of your system,” Ravichandran added. “We have shown that pointer authentication as a last line of defense is not as absolute as we once thought it was.” Apple has implemented pointer authentication on all of its ARM-based custom processors so far, including the M1, M1 Pro, and M1 Max, and several other chipmakers, including Qualcomm and Samsung, have announced or are expected to ship. new processors that support the hardware-level security feature. MIT said it has not yet tested the attack on Apple’s unreleased M2 chip, which also supports pointer authentication. “If left unmitigated, our attack will affect most mobile devices and probably even desktop devices for years to come,” MIT said in the research paper. The researchers, who presented their findings to Apple, noted that the Pacman attack is not a “magical bypass” for all security on the M1 chip, and can only take an existing bug that pointer authentication protects against. When contacted, Apple did not comment on the record. In May of last year, a developer discovered an irreparable flaw in Apple’s M1 chip that creates a covert channel that two or more pre-installed malicious apps could use to transmit information to each other. But the bug was ultimately deemed “harmless” because malware can’t use it to steal or interfere with data on a Mac.


Table of Contents