Researchers at MIT’s Computer and Artificial Intelligence Laboratory (CSAIL) have discovered a new security vulnerability targeting Apple’s popular M1 processor. The attack, called PACMAN, is capable of bypassing the last line of defense against software bugs on the M1 and possibly other ARM-based processors.
PACMAN attacks pointer authentication, which is the final stop for most software vulnerabilities. Pointer authentication confirms that the program was not altered in any malicious manner, functioning as a “safety net … in the worst case,” as MIT PhD student Joseph Ravichandran put it. MIT researchers have developed PACMAN as a way to guess the pointer authentication signature, bypassing this critical security mechanism. Researchers say PACMAN is exploiting a hardware device, so a software patch will not be able to fix it.
The attack works by running all possible pointer authentication values through a hardware side channel, which reveals whether the guess was correct or not. All of this takes place under speculative execution – essentially a rolling computer task that is not required at the time – which means there is no trace left by PACMAN.
“The idea behind display authentication is that if all else fails, you can still rely on it to prevent attackers from gaining control of your system,” said Ravichandran, who co-wrote the PACMAN report. “We’ve shown that display authentication as a last line of defense is not as absolute as we once thought.”
No worries, for now
Although PACMAN is scary for the M1 and other ARM-based systems that use pointer authentication, MIT researchers say there’s no reason to be concerned right now. PACMAN simply allows software bugs to be blocked by display authentication. In short, software vulnerability must exist first for PACMAN to do anything.
For its part, Apple is usually quick to respond to vulnerabilities. Apple paid a student $ 100,000 to find out a webcam hack on Macs earlier this year, for example, and a MacOS Monterey update in March fixed two major security flaws facing Macs. MIT says the PACMAN attack is more focused on the processors of the future.
Ravichandran told Digital Trends in an interview that it only targeted the M1, informing Apple of the matter in 2021. He says “the question is not whether current ARM processors are vulnerable, but whether future ARM processors are also vulnerable. ” We contacted ARM, which says it is aware of the vulnerability and plans to release an update on the ARM Security Center Developer website after its investigation is completed.
We also contacted Apple, which said: “We want to thank the researchers for their cooperation because this proof of concept promotes our understanding of these techniques. Based on our analysis and also the details shared with us by the researchers, we have concluded that this problem does not pose an immediate risk to our users and is not sufficient to bypass operating system security protections on its own.
Although PACMAN does not pose an immediate threat to M1, MIT’s findings do not come in a timely manner. Apple recently unveiled the M2 processor, which is likely to use display authentication as well. Ravichandran offers some tips for problems that could arise from PACMAN with future chips: “Developers should be careful not only to rely on display authentication to protect their software.”
Apple does not seem too worried, and so do MIT researchers. Ravichandran says that, although pointer authentication is “used everywhere in PAC-enabled binaries (like the macOS kernel),” it only works “as a last step in operation, when everything but pointer authentication has been bypassed.”
This does not mean, however, that PACMAN is safe. Ravichandran warned that “using PACMAN to bypass display authentication opens the door to arbitrary code execution that would give the attacker complete control of a device.” Researchers also suspect that future ARM processors with pointer authentication could be vulnerable as well.
This is not the first vulnerability the M1 has faced. Researchers spotted a hardware vulnerability in the M1 in May, but it was not considered a major problem and did not cause widespread problems.
MIT researchers will present their full results on June 18 at the International Symposium on Computer Architecture.
How can you protect yourself
PACMAN poses no immediate threat, so you don’t need to do anything right now to protect yourself. Because PACMAN only works if software bugs exist, it’s important to keep MacOS and your software up to date. Be sure to read our guide how to update your Mac and frequently check for software updates for the applications installed on your computer.
Ravichandran repeated that advice: “Keep your software up to date!”