Image: © PixieMe/Stock.adobe.com
Researchers said their Pacman hardware attack could be used to affect ‘the majority’ of mobile and desktop devices in the coming years.
Apple’s M1 processor chip has been found to have an unpatchable hardware vulnerability that could allow attackers to bypass security mechanisms, according to MIT researchers.
The vulnerability relates to the M1 chip’s pointer authentication, which detects and guards against unexpected changes to pointers in memory.
Pointer authentication works by offering a special CPU instruction to add a cryptographic signature – also called a PAC – to unused high-order bits of a pointer before storing the pointer. The CPU interprets authentication failure as memory corruption, which causes the pointer to become invalid and crash.
However, researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have created a hardware attack methodology that leaks verification results via “micro-architectural side channels” without causing any crashes. This could allow attackers to sidestep the defence.
In a new research paper, the team said their novel hardware attack called Pacman leverages vulnerabilities in speculative execution – a performance-boosting feature found on most chips – to help bypass the memory defences. As the attack utilises a hardware mechanism, it cannot be patched.
“While the hardware mechanisms used by Pacman cannot be patched with software features, memory corruption bugs can be,” the MIT researchers said in an accompanying post.
While the hardware attack was tested on the Apple M1 chip, the research team noted that the attack could be used on other pieces of hardware that utilise Arm pointer authentication and future Arm processors.
“If not mitigated, our attack will affect the majority of mobile devices, and likely even desktop devices in the coming years,” the researchers said.
In a statement to The Hacker News, Apple said: “We want to thank the researchers for their collaboration as this proof-of-concept advances our understanding of these techniques.
“Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own,” Apple added.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.
