Stories
Slash Boxes
Comments

SoylentNews is people

MIT Researchers Uncover ‘Unpatchable’ Flaw in Apple M1 Chips

posted by janrinok on Sunday June 12 2022, @07:12AM   Printer-friendly
from the install-a-new-and-different-cpu-to-patch dept.

AnonTechie writes:

MIT researchers uncover 'unpatchable' flaw in Apple M1 chips – TechCrunch:

Apple's M1 chips have an "unpatchable" hardware vulnerability that could allow attackers to break through its last line of security defenses, MIT researchers have discovered.

The vulnerability lies in a hardware-level security mechanism utilized in Apple M1 chips called pointer authentication codes, or PAC. This feature makes it much harder for an attacker to inject malicious code into a device's memory and provides a level of defense against buffer overflow exploits, a type of attack that forces memory to spill out to other locations on the chip.

Researchers from MIT's Computer Science and Artificial Intelligence Laboratory, however, have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep the security feature. The attack shows that pointer authentication can be defeated without leaving a trace, and as it utilizes a hardware mechanism, no software patch can fix it.

The attack, appropriately called "Pacman," works by "guessing" a pointer authentication code (PAC), a cryptographic signature that confirms that an app hasn't been maliciously altered. This is done using speculative execution — a technique used by modern computer processors to speed up performance by speculatively guessing various lines of computation — to leak PAC verification results, while a hardware side-channel reveals whether or not the guess was correct.

What's more, since there are only so many possible values for the PAC, the researchers found that it's possible to try them all to find the right one.

In a proof of concept, the researchers demonstrated that the attack even works against the kernel — the software core of a device's operating system — which has "massive implications for future security work on all ARM systems with pointer authentication enabled," says Joseph Ravichandran, a PhD student at MIT CSAIL and co-lead author of the research paper.

[Also Covered By]: Gizmodo

[Paper PDF]: PACMAN: Attacking ARM Pointer Authentication with Speculative Execution

Original Submission

 
This discussion has been archived. No new comments can be posted.
MIT Researchers Uncover ‘Unpatchable’ Flaw in Apple M1 Chips | Log In/Create an Account | Top | 15 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by maxwell demon on Sunday June 12 2022, @02:17PM

    by maxwell demon (1608) Subscriber Badge on Sunday June 12 2022, @02:17PM (#1252731) Journal

    So if I understand correctly, this is a method to circumvent an additional security measure. That is, circumventing it only helps you if you also find another flaw that without that extra protection would already have given you access. Did I get this right?

    In that case, I think it is far less bad than the headline makes it sound. Basically, it means that the M1 is at worst no more secure than other processors.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3