Researchers Found an Unpatchable Security Flaw in Apple’s M1 And You Probably Don’t Need to Care
by Joel Hruska
Researchers working with MIT have found a new flaw in Apple processors that they’re calling unpatchable. While that sounds bad — and under specific circumstances, could be bad — it’s probably not something consumers need to worry about much.
The flaw, dubbed PACMAN, is caused by a hardware security problem with Apple’s pointer authentication codes (PAC). The researchers write: “We demonstrate that by leveraging speculative execution attacks, an attacker can bypass an important software security primitive called ARM Pointer Authentication to conduct a control-flow hijacking attack.” Pointers are objects in code that contain memory addresses. By modifying the data inside of pointers, an attacker can theoretically modify what happens when the machine accesses a given area of memory.
Pointer authentication protects pointers by encrypting them. While it may be possible to brute force some of the smallest pointer authentication schemes, using an incorrect pointer authentication code will crash the program. Restarting said program will generate new PACs, forcing the attacker to start the process over. Eventually, the constant crashing is going to get suspicious. Brute-forcing pointer authentication is not a practical means of extracting useful information.
What does work is exfiltrating data through side channels and taking advantage of speculative execution. The team writes:
The key insight of our PACMAN attack is to use speculative execution to stealthily leak PAC verification results via microarchitectural side channels. Our attack works relying on PACMAN gadgets. A PACMAN gadget consists of two operations: 1) a pointer verification operation that speculatively verifies the correctness of a guessed PAC, and 2) a transmission operation that speculatively transmits the verification result via a micro-architectural side channel… Note that we execute both operations on a mis-speculated path. Thus, the two operations will not trigger architecture-visible events, avoiding the issue where invalid guesses result in crashes.