MIT researchers have discovered that Apple’s M1 chip has an “unreachable” hardware vulnerability that could allow attackers to bypass its last line of security defenses.
The vulnerability resides in the hardware-level security mechanism used in Apple M1 chip is called a pointer validation code, or PAC. This feature makes it harder for an attacker to inject malicious code into the device’s memory and provides a level of defense against buffer overflow exploits, an attack that forces memory to overflow other locations on the device. chips.
However, researchers from MIT’s Computer Science and Artificial Intelligence Laboratory have created a new hardware attack that combines memory corruption and make speculation attack to bypass security features. The attack shows that pointer validation can be defeated without leaving a trace, and since it uses a hardware mechanism, no software patch can fix it.
The attack, known as “Pacman”, works by “guessing” a pointer validation token (PAC), a cryptographic signature that verifies that an application has not been maliciously altered. This is done using speculative execution – a technique used by computer processor to speed up performance by guessing various lines of computation – to leak the PAC verification results, while the hardware subchannel reveals whether the conjecture was correct.
Furthermore, because there are only so many possible values for PAC, the researchers found that it was possible to try all of them to find the right one.
In a proof of concept, the researchers demonstrated that the attack even works against the kernel – the software core of the device operating system – which has “major implications for security work”. future on all ARM systems with pointer validation enabled,” said Joseph Ravichandran, PhD student at MIT CSAIL and co-author of the research paper.
“The idea behind pointer validation is that if all else fails, you can still rely on it to prevent attackers from gaining control of your system,” added Ravichandran. “We have proven that pointer validation as a last line of defense is not as absolute as we once thought.”
Apple has perform pointer validation on all of its custom ARM-based silicon to date including the M1, M1 Pro and M1 Max, and several other chipmakers including Qualcomm and Samsung that have announced or are expected to ship microprocessors. The new processor supports hardware-level security. MIT says it has yet to test the attack on Apple’s unreleased M2 chipalso supports pointer validation.
“If not mitigated, our attack will affect the majority of mobile devices and possibly even desktop devices in the years to come,” MIT said in the research paper. assist.
The researchers – who presented their findings to Apple – note that the Pacman attack is not a “magic encirclement” for all security on the M1 chip and can only handle one bug. Existing that pointer validation protects against. When reached, Apple did not comment on the filing.
In May of last year, a developer discovered an unrepairable flaw in Apple’s M1 chip creates a secret channel that two or more pre-installed malicious applications can use to communicate with each other. But ultimately the bug is considered “harmless” because malware can’t use it to steal or tamper with data on a Mac.