MIT researchers discover ‘fatal’ flaw in Apple M1 chips

- Advertisement -


MIT researchers have discovered that Apple’s M1 chips have an “unrecoverable” hardware vulnerability that could allow attackers to break through the last line of defense.

- Advertisement -

The vulnerability lies in a hardware-level security mechanism used in Apple M1 chips called Pointer Authentication Codes or PACs. This feature makes it much harder for an attacker to inject malicious code into the device’s memory and provides a layer of protection against buffer overflow exploits, a type of attack that forces memory to spread to other locations on the chip.

- Advertisement -

However, researchers at MIT’s Computer Science and Artificial Intelligence Laboratory have created a new hardware attack that combines memory corruption and speculative execution attacks to bypass the security feature. The attack shows that pointer authentication can be bypassed without leaving a trace, and because it uses a hardware mechanism, no software patch can fix it.

Appropriately named “Pacman”, the attack works by “guessing” a Pointer Authentication Code (PAC), a cryptographic signature that verifies that an application has not been maliciously modified. This is done through speculative execution, a technique used by modern computer processors to improve performance by speculatively guessing different calculation strings – to leak PAC check results while a hardware side channel shows whether the guess was correct or not.

- Advertisement -

What’s more, since there aren’t many possible PAC values, the researchers found that they could try them all to find the right one.

As a proof of concept, the researchers demonstrated that the attack even works against the kernel—the software core of the device’s operating system—with “major implications for future security work on all ARM systems with pointer authentication enabled,” says Joseph Ravichandran. PhD student at MIT CSAIL and co-author of a research paper.

“The idea behind pointer authentication is that even if nothing else works, you can still rely on it to prevent attackers from gaining control of your system,” Ravichandran added. “We have shown that pointer authentication as a last line of defense is not as absolute as we once thought.”

Apple has implemented pointer authentication across all of their dedicated ARM-based silicon, including the M1, M1 Pro, and M1 Max, as well as a number of other chip makers, including Qualcomm and Samsung, have either announced or are expected to ship new processors that support a hardware-level security feature. . The Massachusetts Institute of Technology said it has not yet tested an attack on Unreleased Apple M2 chipwhich also supports pointer authentication.

“If not mitigated, our attack will affect most mobile devices and likely even desktop devices in the coming years,” the Massachusetts Institute of Technology research paper says.

The researchers, who presented their findings to Apple, noted that the Pacman attack is not a “magic bypass” of the entire security system on the M1 chip and can only exploit an existing bug that pointer authentication protects against. When it came down to it, Apple didn’t comment on the recording.

In May last year, the developer discovered an uncorrectable flaw in the Apple M1 chip which creates a covert channel through which two or more already installed malicious applications can transmit information to each other. But the error was ultimately deemed “harmless” because malware cannot use it to steal or interfere with data stored on the Mac.


Credit: techcrunch.com /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox