Apple’s M1 is fast and devastatingly power-efficient, but like all CPUs, it isn’t bulletproof. MIT Computer Science & Artificial Intelligence Laboratory (CSAIL) scientists unveiled a new attack methodology that exploits a hardware vulnerability in the Apple M1 series of chips by using a new PACMAN technique to steal data. The team used an Apple M1 processor as the demo chip for the exploit and tells us that it hasn’t replicated it with other Arm processors. The researchers claim the attack can even potentially access the core operating system kernel, thus giving attackers full control of a system through a combination of software and hardware attacks. However, the software portion of the attack does rely upon an existing memory corruption bug to work, so it isn’t a silver bullet that will bypass all security.
Notably, the researchers tell Tom’s Hardware that the exploit does not require physical access to the machine, so it can be exploited remotely. The researchers say the M1’s hardware vulnerabilities can’t be patched with software and the MIT team believes the vulnerability could impact future Arm mobile devices, and likely even future Arm desktop PCs, if it isn’t mitigated in future architectures. “Any chip that uses speculative execution to evaluate and operate on pointer authentication signed pointers (and handles nested mispredicts eagerly) could potentially be vulnerable to PACMAN,” said Joseph Ravichandran, a researcher with the MIT team. That means this could possibly impact chips from other Arm vendors that support pointer authentication, such as Qualcomm and Samsung, but those chips haven’t been tested yet.
The attack targets Arm’s Pointer Authentication feature through a side-channel attack on the chips’ speculative execution engine. Pointer Authentication is normally used to verify software with cryptographic signatures called pointer authentication codes (PACs), thus preventing malicious attacks on the memory via software vulnerabilities. These software attacks usually consist of techniques that exploit memory corruption, like buffer overflows, to take full control of a program. As such, it relies upon an existing software bug that can read and write to memory.
The PACMAN technique comprises ‘guessing’ a value for the PAC while using a speculative execution attack, much like we see with Spectre and Meltdown, to leak the PAC verification results via microarchitectural side channels. As a reminder, a side channel attack allows data theft by observing or exploiting a secondary effect of an operation on a system. This allows the researchers to find the correct PAC value, thus sidestepping protection against software vulnerabilities. However, it requires an existing memory corruption bug in the software to work. “PACMAN can only take an existing bug that pointer authentication protects against, and unleash that bug’s true potential for use in an attack by finding the correct PAC,” said the researchers.
The researchers say the PACMAN attack works across privilege levels, “implying the feasibility of attacking a PA-enabled operating system kernel.”
When asked about the data exfiltration rate (i.e., how fast data can be stolen), the team tells Tom’s Hardware, “It’s hard to say since data exfiltration with this attack will be very dependent on the exact gadget used. Our proof of concept exploit takes 2.69 milliseconds per PAC guess (so worst-case 2.94 minutes per pointer). This may be longer in a fully integrated end-to-end attack.”
The researchers propose three methods to protect against the PACMAN attacks. One method is to modify the hardware or software to prevent PAC verification results from being used in the speculative execution process. However, the researchers warn that this approach could have a significant performance penalty. Another suggestion is to adapt previously-developed Spectre mitigation techniques to PACMAN. Finally, patching memory corruption vulnerabilities would also prevent the attacks.
The report also documents the team’s reverse-engineering of the Apple M1 processors’ memory hierarchy, which in turn reveals many previously undisclosed details of the chip’s architecture.
The MIT team was partly funded by the National Science Foundation (NSF) and the Air Force Office of Scientific Research (AFOSR). The MIT CSAIL team will present its PACMAN: Attacking ARM Pointer Authentication with Speculative Execution paper at the International Symposium on Computer Architecture on June 18, outlining its new attack methodology.
The team disclosed the vulnerability to Apple several months in advance, so it has engaged in responsible disclosure. However, the team hasn’t filed a Common Vulnerabilities and Exposures (CVE) number but plans to file one soon.
EDIT — An Apple spokesperson has now provided us with a statement on the matter:
“We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”
Apple’s statement points out that the vulnerability “on its own” isn’t a threat, but it is unclear if this refers to the hardware component of the attack or the software component. The attack explicitly leverages combined hardware+software vulnerabilities, so we’re following up for clarification on the statement.
69 Responses
order levofloxacin generic levofloxacin 250mg pill
purchase avodart brand celebrex buy ondansetron 8mg
aldactone 100mg brand buy generic diflucan diflucan medication
ampicillin 500mg cheap buy ampicillin 250mg sale erythromycin 500mg uk
purchase fildena online order tamoxifen 20mg generic order robaxin
brand lamictal 50mg buy vermox 100mg for sale retin us
tadalafil 20mg ca purchase tadalafil buy diclofenac 50mg without prescription
purchase accutane sale buy amoxicillin tablets generic azithromycin 500mg
order indomethacin generic generic amoxicillin 500mg amoxicillin oral
buy tadalafil 5mg Discount viagra without prescription buy sildenafil 50mg pills
buy anastrozole 1mg sale where to buy real viagra online order generic sildenafil 50mg
cialis 5mg prix generique cialis sildenafil 200mg sans ordonnance en france
prednisone online buy viagra tablets viagra for sale
tadalafil 10mg für frauen viagra kaufen generika sildenafil 50mg für männer
buy accutane 20mg amoxicillin 1000mg generic stromectol 3mg cost
purchase modafinil online Cialis next day buy diamox without prescription
doxycycline usa order clomiphene 100mg pills purchase lasix generic
order ramipril generic buy azelastine sprayers astelin 10 ml without prescription
order clonidine 0.1 mg pill minocin drug order spiriva generic
buspirone online amiodarone 200mg oral cost oxybutynin 5mg
purchase terazosin pills buy terazosin 5mg order sulfasalazine 500 mg online
buy fosamax 35mg sale paracetamol 500mg over the counter order famotidine 20mg online cheap
buy benicar 20mg online cheap divalproex cheap buy acetazolamide 250mg for sale
prograf 5mg sale brand requip 2mg purchase ursodiol generic
cost isosorbide 40mg order micardis pills telmisartan for sale
order zyban 150mg without prescription buy zyban 150 mg without prescription order quetiapine 50mg sale
molnupiravir online buy prevacid 15mg pills prevacid 15mg over the counter
order zoloft 50mg without prescription buy lexapro 20mg sildenafil for men over 50
imuran drug imuran us order viagra 50mg without prescription
overnight delivery cialis buy cialis for sale sildenafil pills
order cialis 20mg without prescription order generic cialis symmetrel sale
purchase naltrexone for sale buy revia sale aripiprazole sale
avlosulfon 100mg for sale aceon uk brand perindopril
luvox cheap buy fluvoxamine 50mg sale glucotrol 5mg ca
accutane 40mg cheap order isotretinoin online cheap prednisone 10mg
order piracetam 800mg pills 50mg viagra sildenafil online buy
buy generic azithromycin 250mg order zithromax 250mg online neurontin 800mg sale
cialis 20 mg tadalafil drug buy viagra
furosemide 40mg generic buy plaquenil 200mg generic order hydroxychloroquine for sale
tadalafil 10mg price order anafranil 50mg online cheap clomipramine 25mg canada
oral chloroquine generic cenforce generic baricitinib 4mg
top 100 dating websites 2020 match dating site free adult dating single women dating
Somebody essentially lend a hand to make seriously articles I might state. This is the first time I frequented your web page and so far? I surprised with the analysis you made to make this actual submit amazing. Wonderful task!
Fantastic website.온라인카지노
A lot of useful info here. I am sending it to a few buddies ans also sharing in delicious. And obviously, thank you for your effort!
perscription drugs without perscription
https://canadianpharmacyquick.com/
prescriptions online
no prescription drugs canada
best canadian online pharmacy
https://canadianpharmaciestotal.com/
pharmacies with no prescription
canadian meds
discount online pharmacy
cheapest canadian pharmacies
canadian online pharmacies ratings
https://allcanadianpharm.com/
best canadian online pharmacies
canadapharmacy.com
meds canada
my canadian pharmacy viagra
no prescription canadian pharmacy
drug canada
mexican pharmacies shipping to usa
international pharmacies that ship to the usa
online meds no rx reliable
canadian online pharmacies
https://alglobalpharma.com/
canadian mail order pharmacies
canadian pharcharmy
online pharmacy review
canada online pharmacies
https://canadianpharmaciestotal.com/
online prescription drugs
canada drugs online
https://canadiandailymeds.com/
canadian meds
canadian pharmaceuticals online
https://canadianpharmsl.com/
canadian online pharmacies
canadian pharmacy no prescription needed
legitimate mexican pharmacy online
https://canadianpharmaceuticalsplus.com/
canada drug
non perscription on line pharmacies
https://canadianpharmaciesturbo.com/
cheap pharmacy
overseas pharmacies online
https://canadianpharmacieshelp.com/
canada online pharmacy
canadian pharmacies that sell viagra