Researchers devised a new hardware attack aimed at Pointer Authentication in Apple M1 chip-based CPUs with speculative execution. This allows attackers to obtain arbitrary code execution on Mac systems.

Pointer Authentication is a security feature that adds a cryptographic signature to operating system pointers, named Pointer Authentication Code (PAC). This allows the OS to spot and block unexpected changes that may lead to data leaks.

The PACMAN attack

Researchers at MIT's CSAIL have disclosed this new class of attack that would allow individuals with malicious intent to gain physical access to Macs with M1 CPUs to access the underlying filesystem.
  • Attackers first find a memory bug affecting software on the targeted Mac that would be blocked by PAC and escalate into a more serious security flaw after bypassing PAC defenses.
  • The attack is an exploitation technique but it cannot affect the system on its own. While the hardware mechanisms used in the attack cannot have a solution, software-based memory corruption issues can be patched.
  • The attack would lead to a kernel, crashing the entire system. Moreover, the PACMAN attack makes sure that no system crashes happen and no traces are left in logs.

Additional insights

According to researchers, this side-channel attack doesn't represent a threat to Mac users, as it requires other additional security vulnerabilities to work.
  • Although it is not possible to fix the hardware to block this attack, software issues related to memory corruption bugs can be fixed.
  • Therefore, Mac users who keep their software up-to-date are thought to be protected from this attack.

Conclusion

Apple has claimed that the issue does not pose an immediate risk to users and is insufficient to bypass device protection. Further, experts stated that the attack doesn't come with real-world impact yet and that it was validated by a student and one of the four researchers behind PACMAN.

Cyware Publisher

Publisher

Cyware