A new hardware attack targeting Pointer Authentication in Apple M1 CPUs with speculative execution enables attackers to gain arbitrary code execution on Mac systems.
Pointer Authentication is a security feature that adds a cryptographic signature, known as pointer authentication code (PAC), to pointers that allow the operating system to detect and block unexpected changes that would otherwise lead to data leaks or system compromise.
Discovered by researchers at MIT's Computer Science & Artificial Intelligence Laboratory (CSAIL), this new class of attack would allow threat actors to remotely bypass pointer authentication in the kernel from userspace.
To do that, the attackers first need to find a memory bug affecting software on the targeted Mac that would be blocked by PAC and that can be escalated into a more severe security issue after bypassing PAC defenses.
"PACMAN takes an existing software bug (memory read/ write) and turns it into a more serious exploitation primitive (a pointer authentication bypass), which may lead to arbitrary code execution. In order to do this, we need to learn what the PAC value is for a particular victim pointer," the researchers explained.
"PACMAN does this by creating what we call a PAC Oracle, which is the ability to tell if a given PAC matches a specified pointer. The PAC Oracle must never crash if an incorrect guess is supplied. We then brute force all possible PAC values using the PAC Oracle."
We found a way to defeat pointer authentication (and forge kernel pointers from userspace) on the Apple M1 via a new hardware attack.
— Joseph Ravichandran (@0xjprx) June 10, 2022
Here’s how it works-https://t.co/6Kz3jnRtwI
While Apple can't patch the hardware to block attacks using this exploitation technique, the good news is that end-users don't need to be worried as long as they keep their software up to date and free of bugs that could be exploited to gain code execution using PACMAN.
"PACMAN is an exploitation technique- on its own it cannot compromise your system. While the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be," the researchers added.
While this attack would typically lead to a kernel panic, crashing the entire system, PACMAN ensures that no system crashes occur and leaves no traces in logs.
Apple: No immediate risk to users
The MIT CSAIL researchers reported their findings and shared proof-of-concept attacks and code with Apple, exchanging info with the company since 2021.
Apple says this new side-channel attack doesn't represent a danger to Mac users, given that it also requires other security vulnerabilities to be effective.
"We want to thank the researchers for their collaboration as this proof-of-concept advances our understanding of these techniques," an Apple spokesperson told BleepingComputer.
"Based on our analysis, as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass device protections on its own."
Security experts have argued that the attack doesn't come with "real-world utility," which was confirmed by Joseph Ravichandran, an MIT Ph.D. student and one of the four researchers behind PACMAN.
You can find more technical details about this novel hardware attack on the dedicated site and in the "PACMAN: Attacking ARM Pointer Authentication with Speculative Execution" paper [PDF] that will be presented at the International Symposium on Computer Architecture on June 18.
Update: Fixed a factual error saying the attack required physical access.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now