The M1 marked a new phase start for Apple. But despite the success in performance and efficiency, the processor developed by the company itself is not perfect. MIT researchers have found a problem that compromises component security —and worst of all, there’s no way to fix the vulnerability.
The flaw is in a hardware-level security mechanism. It is called PAC, an acronym for pointer authentication codes. Thanks to it, it is much more difficult to inject malicious code into memory. This helps protect against buffer overflow attacks, which cause memory to leak to other places on the chip.
In practice, however, there is a way around this. That’s what scientists from MIT’s Computer Science and Artificial Intelligence Laboratory proved. They created an attack called Pacman, which “guesses” the pointer authentication code.
The technique involves speculative execution, which attempts to guess compute lines. With it, the researchers were able to get the RESULTS of the PAC scan leaked through a parallel channel, which says whether the guess was right or not.
Because Pacman involves hardware mechanisms, you cannot fix the problem that it takes advantage of by using a software patch.
The researchers demonstrated that this attack also works against the kernel, the operating system’s software core.
Joseph Ravichandran, a phD member of the MIT laboratory and co-author of the study, explains that there are “huge implications for future security work on all ARM systems with pointer authentication enabled.”
The researchers point out that Pacman does not fully compromise the safety of the chip. It can only be used to take advantage of a bug protected by pointer authentication.
Even so, they say that if the fault is not mitigated, it can compromise most mobile devices and even some desktops in a few years.
MIT researchers shared their results with Apple. The company thanked the work and tried to explain that the failure is not so serious in practice.
To TechCrunch, spokesman Scott Radcliffe gave the following statement:
“We want to thank the researchers for their collaboration. This proof of concept contributes to our understanding of this technique. Based on our analysis and the details shared by the researchers, we conclude that this problem does not pose an immediate risk to our users and is insufficient to circumvent the security protections of the operating system alone.”