Another Attack on Apple’s M1—This Time, as PACMAN
Researchers at MIT have recently discovered a new hardware vulnerability in Apple’s M1 chip.
Apple’s in-house silicon has frequently been in the news over the past year—and not always for good reasons. Earlier this year, researchers discovered a hardware-level exploit in Apple’s M1 chip that was thankfully deemed mostly harmless.
Now, Apple’s M1 is in the news again, as a group of researchers based out of MIT have discovered another hardware vulnerability in the architecture. This time, the attack exploits a side channel in the chip’s pointer authentication and is impossible to detect.
MIT researchers found that using a hardware mechanism, pointer authentication can be bypassed without a trace. Image used courtesy of MIT
In this article, we’ll discuss pointer authentication, the new exploit from MIT, and what it may mean for Mac users.
What is Pointer Authentication?
Before discussing the new exploit on Apple’s M1, it's important to first understand pointer authentication and its role in Arm processors.
Pointer authentication is a security mechanism introduced by Arm in 2017 to ensure pointer integrity. The technique protects a pointer by generating a cryptographic hash, called a pointer authentication code (PAC), that serves as a unique signature for each pointer. When a protected pointer is to be used, the system ensures that the pointer has not been modified by checking the signature against a known value. If the two values match, the PAC bits are cleared and the resulting pointer can be used. Otherwise, if an incorrect PAC is used, the event results in the victim program crashing.
Arm pointer authentication protects the stack. Image used courtesy of Ravichandran et al
In systems using pointer authentication, an attacker who wants to modify a pointer is forced to correctly guess the PAC of the pointer after modification. While PACs are short enough to be broken by brute force, it's nearly impossible for such an attack to go undetected because the program crashes after failed attempts. Hence, this technique has been shown to significantly improve security in Arm-based systems because it makes it more difficult for an attacker to modify pointers without detection.
Thanks to this added level of security, pointer authentication is commonly used in processors from major companies such as Arm, Qualcomm, Samsung, and Apple, including its M1, M1 Pro, and M1 Max chips.
The PACMAN Attack
This week, researchers from MIT made headlines when they announced a new security vulnerability they discovered in the Apple M1 processor. The newly-discovered attack, called PACMAN, combines memory corruption vulnerabilities with a microarchitectural side-channel leakage in order to gain access to the M1 kernel.
If a PAC is guessed speculatively, the transmission operation accesses a valid pointer, resulting in observable architectural side effects. Otherwise, the transmission step will cause an exception. Importantly, since these operations are executed on a speculated path, they won’t trigger crashes in the program like most non-speculative PAC guesses.
Working process of the PACMAN PAC Oracle. Image used courtesy of Ravichandran et al
As described in the recently published paper, this attack leverages the use of a PAC Oracle, a tool that can tell if a given PAC matches a specified pointer, and a PACMAN Gadget, a code sequence that authenticates and speculatively uses a pointer. The attack works by first filling a translation lookaside buffer (TLB) with the minimal set of addresses necessary to fully fill the buffer. From there, the attackers run a test case with the PACMAN Gadget and watches the TLB. Using a prime-plus-probe technique, the attackers can see if any of the initial set of addresses in the TLB are evicted. If they are evicted, their current PAC guess is correct; otherwise, it’s wrong.
By merging a memory corruption attack with a hardware side-channel attack, the researchers were able to effectively suppress crashes, allowing them to brute-force the PAC without detection. Eventually, by discovering the PAC, the researchers showed the potential to forge kernel PACs from user space on the M1.
No Imminent Threat to Mac Users
The fortunate news is that, so far, Mac users should be safe, according to the MIT team. The researchers claim to have reported their findings to Apple back in 2021 well before this information became public knowledge.
However, if not addressed, the implications of this attack could be significant: many of the world’s most popular Arm processors use pointer authentication and could be susceptible to this vulnerability. The researchers advised that future CPU designers should consider this attack when building secure systems moving forward.