Researchers at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have discovered a new security vulnerability that targets the popular Apple M1 processor. The attack, dubbed PACMAN, is able to bypass the last line of defense against software bugs in the M1 and potentially other ARM-based processors.
PACMAN attacks pointer authentication, which is the final stop for most software vulnerabilities. Pointer authentication confirms that a program hasn’t been changed in any malicious way, serving as a “worst-case safety net,” as MIT doctoral student Joseph Ravichandran put it. MIT researchers developed PACMAN as a way to guess the pointer’s authentication signature, bypassing this critical security mechanism. The researchers say that PACMAN exploits a hardware mechanism, so a software patch will not be able to fix it.
The attack works by running all possible pointer authentication values through a hardware side channel, which reveals whether or not the guess was correct. All of this happens under speculative execution, basically executing a computing task that is not needed at the time, which means that PACMAN leaves no trace.
“The idea behind pointer authentication is that if all else has failed, you can still rely on it to prevent attackers from gaining control of your system,” said Ravichandran, who co-wrote the PACMAN report. “We have shown that pointer authentication as a last line of defense is not as absolute as we once thought it was.”
Although PACMAN is scary for the M1 and other ARM-based systems that use pointer authentication, the MIT researchers say there’s no reason to worry now. PACMAN simply allows software bugs that would be blocked by pointer authentication. In short, a software vulnerability must first exist for PACMAN to do anything.
For its part, Apple is often quick to respond to vulnerabilities. Apple paid a student $100,000 to uncover a webcam hack on Macs earlier this year, for example, and an update to MacOS Monterey in March fixed two major security flaws facing Macs. MIT says the attack PACMAN focuses more on the processors of the future.
Ravichandran told Digital Trends in an interview that he only addressed the M1, informing Apple of the issue in 2021. He says “the troubling question is not whether current ARM processors are vulnerable, but whether future ARM processors are also vulnerable.” . We’ve contacted ARM, which says it’s aware of the vulnerability and plans to release an update to the ARM Security Center Developer site once you finish your research.
We also contacted Apple, who provided the following statement: “We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis, as well as details shared with us by researchers, we have concluded that this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”
Although PACMAN does not pose an immediate threat to M1, the MIT findings do not come at an opportune time. Apple just introduced the M2 processor, which probably also uses pointer authentication. Ravichandran offers some advice for problems that might arise from PACMAN with future chips: “Developers should be careful not to rely solely on pointer authentication to protect their software.”
Apple doesn’t seem overly concerned, and neither do the MIT researchers. Ravichandran says that while pointer authentication is “used all over the place in PAC-enabled binaries (such as the macOS kernel),” it only works “as a last step in exploitation, when everything except pointer authentication has been compromised.” omitted”.
However, that doesn’t mean PACMAN is harmless. Ravichandran warned that “using PACMAN to bypass pointer authentication opens the door to arbitrary code execution, which would give an attacker complete control of a device.” The researchers also suspect that future ARM processors with pointer authentication could also be vulnerable.
This is not the first vulnerability faced by the M1. Researchers discovered a hardware-based security vulnerability in the M1 in May, but it was not considered a major issue and has not caused widespread problems.
The MIT researchers will present their full findings June 18 at the International Symposium on Computer Architecture.
PACMAN poses no immediate threat, so there is nothing you need to do right now to protect yourself. Because PACMAN only works if there are software bugs, it’s important to keep MacOS and its software up to date. Be sure to read our guide on how to update your Mac and check frequently for software updates for applications installed on your computer.
Ravichandran echoed that advice: “Keep your software up to date!”