Experts from the Massachusetts Institute of Technology (MIT) Computer Science and Artificial Intelligence Laboratory announced detection of a new hardware bug in Apple’s M1 chips. An attack called PACMAN can overcome authentication without leaving any traces. The method used uses a hardware mechanism, so the problem cannot be fixed by any software patch.
The attack takes place through PAC hardware security mechanism (Pointer Authentication Code), which is (simply put) a signature that confirms that the state of the program has not been intentionally changed. This feature makes it significantly more difficult for an attacker to insert malicious code into the device’s memory. The researchers showed that it was possible to guess the PAC value and verify whether the estimate was correct or not.
Because there are only a number of possible PAC values, it is possible to try them all and find the right one. Most importantly, because all estimates are made in speculative execution, the attack leaves no trace. This is a breakthrough in the last line of security.
“The idea behind PAC authentication is that if all else fails, you can rely on it to prevent attackers from gaining control of the system. We showed that PAC as the last line of defense is not so absoluteas we thought before, “ says Joseph Ravichandran, a graduate student in electrical engineering and computer science.
Attacks on hardware and software were considered two different things in the past. Visible software threats include phishing attempts, malware, denial of service, and so on. On the hardware side, security vulnerabilities included Specter and Meltdown in 2018, where malicious code manipulated microarchitectonic structures and stole data.
MIT researchers wanted to find out what could be achieved a combination of these two methods – Take something from the world of software security and break the function designed to protect software through hardware attacks. “This is at the heart of what PACMAN is – a new way of thinking about how threat models are converging in the Specter era.” says Ravichandran.
Abuse will not be easy
PACMAN is not a miracle key that bypasses all M1 chip security. It can only take an existing bug that PAC authentication protects against and unleash its potential for use in an attack by finding the correct code. According to the researchers, there is no reason to panic because PACMAN cannot compromise the system without an existing software bug.
PAC authentication is used primarily to protect the operating system kernel, the most privileged part of the system. An attacker who gains control of the kernel can do whatever he likes in the device. Experts have shown that the PACMAN attack also works against the kernelwhich he may have “Huge implications for future security work on all PAC-enabled ARM systems.”
The researchers will present their work at the International Symposium on Computer Architecture on June 18. They have not yet tested this form of attack on an as yet unreleased M2 chip, which also supports this authentication method.