It’s not known if this exploit could work against other Arm chips
Apple has wrapped up a big week with WWDC 2022 done and dusted and a new MacBook Air announced with a new M2 chip. But while the company may have had confetti and bugspray on its agenda, it also downplayed a new vulnerability on its M1 chip as uncovered by MIT’s Computer Science & Artificial Intelligence Laboratory this week.
In summary, CSAIL researchers have found (via TechCrunch) a way to break Apple’s pointer authentication — essentially, a write-and-read cryptographic check verifying that an app’s pointers are referencing the same locations in memory. The company’s implementation of pointer authentication has generally helped the M1 contain pretty much any bug with potential system-wide impacts by catching a pointer that fails the test and triggering an app crash.
The attack uses a mix of software and hardware methods — including exploits to speculative code execution that made threats like 2018’s Meltdown and Spectre vulnerabilities so scary — to beat pointer authentication by simply guessing all of a finite series of authentication codes. Opening up this gate then allows any existing software bug, including ones targeting the kernel, to wreak havoc as they would on other chips. CSAIL says that its cracking method, which it dubs PACMAN, can be executed remotely and, because of its reliance on a hardware side channel, can’t easily be patched.
MIT’s researchers theorize that any chip which uses speculative execution to handle pointer authentication may be susceptible to PACMAN. Apple employs its pointer authentication on its arm64e chips which include all of the M1 series, the new M2 chip, as well as A-series chips from the A12 onward. Arm-based chips from other manufacturers like MediaTek, Qualcomm, and Samsung could be at risk, but testing has not been done to prove risk to those platforms.
Details of PACMAN are available in the full paper from MIT.
Apple has responded to press coverage with this statement from spokesperson Scott Radcliffe:
We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.
The company had a similar response to another M1 exploit with diminished potential discovered in May last year (via Ars Technica) that let multiple apps transmit information between each other.Indeed, it’s true that PACMAN on its own doesn’t pose a threat to those protections, but again, an existing, effective bug can expose an attack surface with the help of PACMAN. Users will need to keep their software updated to stay protected. Beyond patching memory corruption vulnerabilities as they come, however, manufacturers will want to focus on putting in protections — perhaps even install pauses in speculative executions during pointer authentication at the cost of performance — that have been in development since revelations of Meltdown and Spectre.
