Apple ain’t afraid of no PACMAN as it downplays M1 chip vulnerability
Apple has wrapped up a big week withWWDC 2022done and dusted and a new MacBook Air announced with a new M2 chip. But while the company may have had confetti and bugspray on its agenda, it also downplayed a new vulnerability on its M1 chip as uncovered by MIT’s Computer Science & Artificial Intelligence Laboratory this week.
In summary,CSAIL researchers have found(viaTechCrunch) a way to break Apple’spointer authentication— essentially, a write-and-read cryptographic check verifying that an app’s pointers are consistently referencing the same locations in memory. The company’s implementation of pointer authentication has generally helped the M1 contain pretty much any bug with potential system-wide impacts by catching a pointer that fails the test and triggering an app crash.
The attack uses a mix of software and hardware methods — including exploits to the chip’s speculative code execution that made threats like2018’s Meltdown and Spectre vulnerabilitiesso scary — to beat pointer authentication by simply guessing all of a finite series of authentication codes. Opening up this gate then allows any existing software bug, including ones targeting the kernel, to wreak havoc as they would on other chips. CSAIL says that its cracking method, which it dubs PACMAN, can be executed remotely and, because of its reliance on a hardware side channel, can’t easily be patched.
MIT’s researchers theorize that any chip which uses speculative execution to handle pointer authentication may be susceptible to PACMAN. Apple employs its pointer authentication on its arm64e chips which include all of the M1 series, the new M2 chip, as well as A-series chips from the A12 onward. Arm-based chips from other manufacturers like MediaTek, Qualcomm, and Samsung could be at risk as well. Testing has not been done to prove risk any platform other than the M1, though.
Details of PACMAN are available inthe full paper from MIT.
Apple has responded to press coverage with this statement from spokesperson Scott Radcliffe:
We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.
The company had a similar response to another M1 exploit with diminished potential discovered in May last year (viaArs Technica) that let multiple apps transmit information between each other.
Indeed, it’s true that PACMAN on its own doesn’t pose a threat to those protections, but again, an existing, effective bug can expose an attack surface with the help of PACMAN. Users will need to keep their software updated to stay as protected as they possibly can be, but that may not be enough.
Beyond patching memory corruption vulnerabilities as they come, however, manufacturers will want to focus on putting in protections — perhaps even install pauses in speculative executions during pointer authentication at a major cost to performance — that have been in development since revelations of Meltdown and Spectre.
From faster storage to better speakers
Google’s made several improvements over the years
Carriers get the upper hand
Pixel 10 Pro XL charges faster wirelessly
Things get red hot for Magenta
Generative AI, now poolside
