MIT researchers find ‘unfixable’ flaw in Apple M1 chips

Apple’s M1 chips have an “unpatchable” hardware vulnerability that could allow attackers to breach its last line of security defense, MIT researchers have found.

The vulnerability resides in a hardware-level security mechanism used in Apple M1 chips called Pointer Authentication Codes, or PACs. This feature makes it much more difficult for an attacker to inject malicious code into a device’s memory and provides a level of defense against buffer overflow exploits, a type of attack that forces memory to spill over. other locations on the chip.

Researchers at MIT’s Computer Science and Artificial Intelligence Laboratory, however, have created a new hardware attack, which combines memory corruption and speculative execution attacks to bypass the security feature. The attack shows that pointer authentication can be defeated without a trace, and since it uses a hardware mechanism, no software patch can fix it.

The attack, appropriately called “Pacman”, works by “guessing” a Pointer Authentication Code (PAC), a cryptographic signature that confirms that an application has not been maliciously modified. This is done using speculative execution – a technique used by modern computer processors to speed up performance by speculatively guessing various lines of computation – to leak the results of the PAC check, while a side channel material reveals whether the guess was correct or not.

Also, since there are only a limited number of possible values ​​for PAC, the researchers found that it was possible to try them all to find the right one.

In a proof-of-concept, the researchers demonstrated that the attack even works against the kernel – the software core of a device’s operating system – which has “massive implications for future security work on all ARM systems.” with pointer authentication enabled,” says Joseph Ravichandran, a PhD student at MIT CSAIL and co-lead author of the research paper.

“The idea behind pointer authentication is that if all else fails, you can still rely on it to prevent attackers from taking over your system,” Ravichandran added. “We have shown that pointer authentication as the last line of defense is not as absolute as we once thought.”

So far, Apple has implemented pointer authentication on all of its custom ARM silicons, including the M1, M1 Pro, and M1 Max, and a number of other chipmakers, including Qualcomm and Samsung, have announced or should ship new processors. supporting hardware-level security functionality. MIT said it has yet to test the attack on Apple’s unreleased M2 chip, which also supports pointer authentication.

“If not mitigated, our attack will affect the majority of mobile devices, and likely even desktop devices for years to come,” MIT said in the research paper.

The researchers – who presented their findings to Apple – noted that the Pacman attack is not a “magical workaround” for any security on the M1 chip, and can only take an existing bug against which authentication of the pointer protects.

When reached before publication, Apple would not comment on the filing. After publication, Apple spokesperson Scott Radcliffe said, “We would like to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded that this issue poses no immediate risk to our users and is insufficient to bypass the operating system’s security protections on its own.

In May last year, a developer discovered an irreparable flaw in Apple’s M1 chip that created a secret channel that two or more previously installed malicious apps could use to send information to each other. But the bug was ultimately deemed “harmless” because malware can’t use it to steal or interfere with data on a Mac.

Comments are closed.