Can Apple’s M1 Chip’s Pointer Authentication Be Bypassed? The PacMan Attack Explained

MIT researchers discovered an “unpatchable” hardware vulnerability in Apple’s M1 chip that could allow attackers to bypass its final security barrier. The flaw resides in the hardware‑level security mechanism called Pointer Authentication Code (PAC), which is designed to make code injection harder and defend against buffer‑overflow attacks.

Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) devised a novel hardware attack that combines memory corruption with speculative execution to evade PAC protections. Because the attack exploits hardware, no software patch can remediate it.

The technique, dubbed “PacMan,” works by guessing the PAC value. PAC is a cryptographic signature that verifies an application has not been tampered with. The attack leverages speculative execution—a CPU performance feature that predicts execution paths—to leak the result of PAC verification, using a hardware side‑channel to determine whether the guess was correct.

Since PAC has a limited set of possible values, the researchers found they could brute‑force all possibilities to discover the correct one.

In a proof‑of‑concept demonstration, the team showed the attack can even target the kernel, the core of the operating system, raising serious concerns for the future security of all ARM systems that rely on pointer authentication, according to Joseph Ravichandran, PhD student and co‑first author of the paper.

Ravichandran noted that pointer authentication was intended as a last‑resort defense, but their findings prove it is not as absolute as previously believed.

Apple has deployed pointer authentication across its custom ARM chips, including the M1, M1 Pro, and M1 Max, and other manufacturers such as Qualcomm and Samsung have announced or plan similar hardware‑level security features. MIT has not yet tested the attack on Apple’s unreleased M2 chip, which also supports PAC.

MIT warns that, without mitigation, the attack could affect most mobile devices and potentially desktop devices in the coming years.

The researchers disclosed their findings to Apple, emphasizing that the PacMan attack is not a “magical bypass” of all M1 security but exploits specific bugs protected by PAC. Apple has not commented.

Last year, a developer identified an unfixable defect in the M1 that created a covert channel for malicious apps to communicate, but it was deemed harmless because malware could not use it to steal or disrupt data.

Source: CNBeta Reference: https://thehackernews.com/2022/06/mit-researchers-discover-new-flaw-in.html