MIT researchers have uncovered an “unpatchable” hardware vulnerability in Apple’s M1 chips that might allow attackers to break through the company’s final line of protection.
Apple M1 processors have a security flaw in the form of a pointer authentication code (PAC) vulnerability. This feature makes it considerably more difficult for an attacker to inject malicious code into a device’s memory and provides some protection against buffer overflow vulnerabilities, a form of attack that forces memory to spill out to other locations on the chip.
Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory, however, have developed a novel hardware attack that combines memory corruption and speculative execution assaults to circumvent the security mechanism. No software patch has been able to remedy this exploit, which proves that pointer authentication can be bypassed undetected.
Pacman is the name of the attack that relies on guessing the pointer authentication code (PAC), which certifies that an app hasn’t been maliciously updated. PAC verification results are leaked via speculative execution, a technique utilized by modern computer processors to speed up performance by speculatively guessing certain lines of calculation, and a hardware side-channel indicates whether or not the guess was right.
Even more importantly, researchers found that they could try every value for the PAC because there are only a limited number of possibilities.
The researchers demonstrated that the attack even works against the kernel, which is the software core of an operating system for a device. This has “massive implications for future security work on all ARM systems with pointer authentication enabled,” according to Joseph Ravichandran, a Ph.D. student at MIT CSAIL and co-lead author of the research paper.
If everything else fails, pointer authentication may be relied on to prevent intruders from taking control of your system, Ravichandran said. A last layer of defense, “pointer authentication,” has been revealed to be less reliable than previously anticipated.
A number of other chip manufacturers, including Qualcomm and Samsung, have announced or are expected to ship new processors supporting the hardware-level security feature, and Apple has already implemented pointer authentication on all of its custom ARM-based silicon, including the M1, M1 Pro, and M1 Max. MIT claimed it has not yet tested on Apple’s unannounced M2 processor, which allows pointer authentication.
According to MIT’s research report, “If not neutralised, our assault will affect the majority of mobile devices, and potentially even desktop systems, in the next few years.”
This is not a “magic bypass” for the M1 chip, as the researchers who presented their findings to Apple acknowledged; rather, it can only take advantage of an existing flaw that pointer authentication protects against.
Apple declined to comment on the record when contacted prior to publication. “We want to thank the researchers for their work as this proof of concept increases our understanding of these techniques,” Apple spokesperson Scott Radcliffe said following the release of the study. “This problem does not pose an imminent threat to our users and is inadequate to bypass operating system security defenses on its own,” we concluded after conducting our own investigation and reviewing the information provided by the researchers.
An unfixable weakness in Apple’s M1 chip was identified in May of last year by a developer, who used it to construct a hidden channel for malicious programs to communicate with each other. However, the flaw was declared “harmless” since malware can not exploit it to steal or mess with data on a Mac.