Why is it important: Researchers have recently identified a newly discovered attack vector allowing attackers to bypass M1’s security features. The exploit completely bypasses CPU Pointer Authentication Codes (PACs) designed to protect against malicious code injection. It also leaves no trace of the attack and cannot be patched ahead of time due to the hardware nature of the exploit.

- Advertisement -

Led by the Massachusetts Institute of Technology Mengjia Yangresearchers at the Computer Science and Artificial Intelligence Laboratory at the Massachusetts Institute of Technology (Massachusetts Institute of Technology CSAIL) created a new attack using a combination of memory corruption and speculative execution to bypass the M1 defense. Proof of concept research team also demonstrated the effectiveness of the attack against the CPU core, which could have far-reaching consequences on any PAC-enabled ARM system.

- Advertisement -

The PAC usually protects the OS kernel by causing any mismatch between the PAC’s pointer and its authentication code, resulting in a crash. PACMAN attack support from speculative execution and repeated guessing is critical to its success. Due to the finite number of PAC values, the team determined that an attacker could find the correct PAC value simply by trying them all. However, this requires the ability to make multiple guesses without throwing an exception each time values ​​are guessed incorrectly. The researchers figured out how to do it.

- Advertisement -

According to the team, this malware exploit will have a 1 in 65,000 chance of guessing the correct code and not throwing an exception. Unlike other malware, PACMAN can prevent the exception from being thrown due to bad guesses, thus avoiding crashes. With a guess, the malware can inject malicious code into the target’s memory without resistance.

Despite the findings of the MIT panel, Apple’s Scott Radcliffe attempted to downplay discovery and its potential impact.

“[The exploit] does not pose an immediate threat to our users and by itself is not sufficient to bypass operating system protections,” said Radcliffe.

Apple currently uses PAC in all of its custom ARM products. Other manufacturers, including Qualcomm and Samsung, have also announced their intention to use codes as a security feature at the hardware level. Failure to mitigate the exploit in any way will affect most mobile (and possibly desktop) devices, according to the research team.

Image credit: PACMAN attack