Apple says users don't need to worry about unpatchable chip flaw (for now)
Apple's M1 chip is a game-changer, being the first Arm-based chip meant for computers to offer impressive performance and battery life at the same time. It's also the first desktop processor to support a a security feature called Pointer Authentication. MIT researchers have discovered that this feature could be bypassed.
Apparently, bad actors can exploit memory corruption vulnerabilities in software and weaknesses in microprocessor design to circumvent pointer authentication codes. Memory corruption vulnerabilities are caused by bugs that enable a hacker to mess with the content of a memory location and hijack a program's flow of execution.
Arm, which makes blueprints for chips, introduced Pointer Authentication or PA to protect pointer integrity. PA makes it harder for attackers to modify memory pointers stealthily.
PA uses a cryptographic hash called Pointer Authentication Code, or PAC, to ensure a pointer has not been modified. To bypass such a system, an attacker would need to guess a PAC value. The size of the PAC is sometimes small enough to be "bruteforced," or cracked with trial and error. A simple bruteforcing approach won't be enough to break PA though, as every time an incorrect PA is entered, the program crashes.
That's where the PACMAN attack comes in. It goes a step further by constructing a PAC oracle which can be used to distinguish between a correct PAC and an invalid one without causing any crashes.
The researchers have shown that such a PAC oracle can be used to brute-force the correct value and gain access to a program or operating system, which in this case is macOS.
The main thing to note here is that the operations necessary to carry out the PACMAN attack will not lead to architecture-visible events and this would help an attacker avoid the issue where incorrect guesses lead to a crash.
The problem with attacking PAC is that it’s impossible to bruteforce without causing crashes (in our case, kernel panics). However, what if there was a way to suppress crashes…?
— Joseph Ravichandran (@0xjprx) June 10, 2022
The team has also shown that the attack works across privilege levels, meaning it could be used to attack the operating system kernel, which is the core of an operating system. The vulnerability is not only found in the M1 but also in its beefed-up versions, the M1 Pro and M1 Max.
Since this is a hardware attack, it cannot be addressed with a security patch. Mac users do not need to be alarmed though, as this attack can only be launched if there also exists an exploitable memory corruption vulnerability.
Furthermore, TechCrunch reached out to Apple for its comments and the Cupertino giant replied that there is no immediate risk to users:
We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own."
Still, this is not something that can be brushed off as insignificant. Many chip makers, including Qualcomm and Samsung, have either unveiled or are expected to release processors with Pointer Authentication and if the risk is not mitigated, it can "affect the majority of mobile devices, and likely even desktop devices" in the future.
Last year, another M1 flaw was discovered which allowed two applications to covertly exchange information.
- Protect your privacy with ExpressVPN: Get ExpressVPN for iPhone, Android, Mac or PC
Things that are NOT allowed: