from the install-a-new-and-different-cpu-to-patch dept.
MIT researchers uncover 'unpatchable' flaw in Apple M1 chips – TechCrunch:
Apple's M1 chips have an "unpatchable" hardware vulnerability that could allow attackers to break through its last line of security defenses, MIT researchers have discovered.
The vulnerability lies in a hardware-level security mechanism utilized in Apple M1 chips called pointer authentication codes, or PAC. This feature makes it much harder for an attacker to inject malicious code into a device's memory and provides a level of defense against buffer overflow exploits, a type of attack that forces memory to spill out to other locations on the chip.
Researchers from MIT's Computer Science and Artificial Intelligence Laboratory, however, have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep the security feature. The attack shows that pointer authentication can be defeated without leaving a trace, and as it utilizes a hardware mechanism, no software patch can fix it.
The attack, appropriately called "Pacman," works by "guessing" a pointer authentication code (PAC), a cryptographic signature that confirms that an app hasn't been maliciously altered. This is done using speculative execution — a technique used by modern computer processors to speed up performance by speculatively guessing various lines of computation — to leak PAC verification results, while a hardware side-channel reveals whether or not the guess was correct.
What's more, since there are only so many possible values for the PAC, the researchers found that it's possible to try them all to find the right one.
In a proof of concept, the researchers demonstrated that the attack even works against the kernel — the software core of a device's operating system — which has "massive implications for future security work on all ARM systems with pointer authentication enabled," says Joseph Ravichandran, a PhD student at MIT CSAIL and co-lead author of the research paper.
[Also Covered By]: Gizmodo
[Paper PDF]: PACMAN: Attacking ARM Pointer Authentication with Speculative Execution
(Score: -1, Troll) by Anonymous Coward on Sunday June 12 2022, @08:15AM (3 children)
Am i the only one sick of "MIT" did this and that? Also "Stanford" this and that?
I'll throw in this bit for woke crowd:
I mean, seriously, MIT, Stanford, it's all Chinese, aren't they? The Jews can't keep up, can they?
(Score: -1, Flamebait) by Anonymous Coward on Sunday June 12 2022, @08:53AM (2 children)
Dear modder, was it "the Jews" or was it "the Chinese?" Personally, I think it's a valid reason to mod me down either ways, but just curious.
(Score: -1, Offtopic) by Anonymous Coward on Sunday June 12 2022, @11:37AM (1 child)
Personally, I considered neither post needing moderation. Up or down.
You were just running your flag up the pole to see if anyone salutes.
I consider that is what this place is for.
Hey, I do the same thing here. A lot. Just to get the feel of things so I do not permanently alienate the locals.
(Score: -1, Offtopic) by Anonymous Coward on Sunday June 12 2022, @02:52PM
but the trouble with woke culture is they will decide to be offended before realising if it is an insult, or they are even close to the target group, if it were.
(Score: 4, Insightful) by Snotnose on Sunday June 12 2022, @01:06PM (5 children)
The attacker needs physical access to the machine to do this attack. If an attacker gets physical access to your hardware all bets are off anyway.
Relationship status: Available for curbside pickup.
(Score: 4, Insightful) by FatPhil on Sunday June 12 2022, @08:50PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Informative) by jasassin on Sunday June 12 2022, @10:53PM
No they do not. It’s a complete software attack exploiting hardware features, very much like spectre and meltdown.
jasassin@gmail.com GPG Key ID: 0x663EB663D1E7F223
(Score: 1, Offtopic) by corey on Sunday June 12 2022, @11:42PM
Like TSA or other border security guys…
(Score: 1, Touché) by Anonymous Coward on Monday June 13 2022, @12:40AM
Last paragraph of the Abstract:
> We demonstrate multiple proof-of-concept attacks of PACMANon the Apple M1 SoC, the first desktop processor that supports ARMPointer Authentication. We reverse engineer the TLB hierarchy on the Apple M1 SoC and expand micro-architectural side-channel attacks to Apple processors. Moreover, we show that the PACMAN attack works across privilege levels, meaning that we can attack the operating system kernel as an unprivileged user in userspace.
Doesn't sound like physical access is needed.
(Score: 2) by janrinok on Monday June 13 2022, @09:37AM
No he doesn't. All that has to happen is that the software is run on the machine.
(Score: 3, Insightful) by maxwell demon on Sunday June 12 2022, @02:17PM
So if I understand correctly, this is a method to circumvent an additional security measure. That is, circumventing it only helps you if you also find another flaw that without that extra protection would already have given you access. Did I get this right?
In that case, I think it is far less bad than the headline makes it sound. Basically, it means that the M1 is at worst no more secure than other processors.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Interesting) by bradley13 on Sunday June 12 2022, @02:41PM (2 children)
Not sure how serious this flaw is, but it is yet another flaw based 9ff of side-channel attacks from speculative execution.
Hete's a thought: maybe speculative execution is just a dumb idea. Drop it, and you also massively simplify (and shrink) the cores, giving you more space for cache. I expect the performance hit would be fairly small.
Everyone is somebody else's weirdo.
(Score: 0) by Anonymous Coward on Monday June 13 2022, @02:04AM
Unless speculative execution was specifically introduced as a feature to enable side channel attacks for exfiltrating encryption keys. America, fuck yeah!
(Score: 2) by fraxinus-tree on Monday June 13 2022, @08:31AM
Speculative execution is an inevitable idea - as long as you don't want to sacrifice half of the performance. It is not that the speculative execution is bad, it is that stupid design shortcuts are bad.
(Score: 0) by Anonymous Coward on Monday June 13 2022, @02:28PM
Ah oh, here comes the fanboys...