Newly identified PACMAN flaw in Apple M1 CPU can't be patched

Jimmy2x

Posts: 103   +8
Staff
What just happened? Researchers have revealed a newly discovered attack vector allowing malicious actors to overcome the M1's security features. The exploit allows the CPU's Pointer Authentication Codes (PAC), designed to defend against malicious code injection, to be sidestepped entirely. It also leaves no trace of an attack and cannot be proactively patched due to the exploit's hardware-based nature.

Led by MIT's Mengjia Yan, researchers from MIT's Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) created the novel attack using a combination of memory corruption and speculative execution to bypass the M1's security. The research team's proof of concept also demonstrated the attack's effectiveness against the CPU kernel, which could have far-reaching impacts on any PAC-enabled ARM system.

A PAC typically guards the OS kernel by causing any mismatch between a PAC pointer and its authentication code to result in a crash. The PACMAN attack's reliance on speculative execution and repeated guesses is critical to its success. Due to the finite number of PAC values, the team determined that it would be possible for a malicious actor to find the correct PAC value by simply trying them all. However, this requires the ability to make multiple guesses without triggering an exception any time the values are incorrectly guessed. The researchers figured out a way to do just that.

According to the team, a given malware exploit would have a 1 in 65,000 chance of guessing the correct code and not producing an exception. Unlike other malware, PACMAN can prevent these wrong guesses from triggering an exception, resulting in the ability to avoid crashes. Once guessed, the malware can inject malicious code into the target's memory without resistance.

Despite the MIT team's findings, a statement by Apple's Scott Radcliffe attempted to downplay the discovery and its potential impact.

"[The exploit] does not pose an immediate threat to our users and is insufficient to bypass operating system security protections on its own," said Radcliffe.

Apple currently uses PAC on all of their custom ARM products. Other manufacturers, including Qualcomm and Samsung, have also signified their intent to employ the codes as a hardware-level security feature. According to the research team, failure to somehow mitigate the exploit will impact most mobile (and potentially desktop) devices.

Image credit: PACMAN attack

Permalink to story.

 

kiwigraeme

Posts: 1,118   +820
"not pose an immediate threat"
very carefully worded.

Probably need to have device at hand - to be fair - any criminal should encrypt damaging files - and be using good protocol - still probably hard not to leave trace evidence.

Big security risk - Is allows theft - and complete take over, wipe everything to say run linux, custom rom and sell on - maybe even still allow to keep as Apple product and bypass system checks
 

bviktor

Posts: 892   +1,313
"Impossible to patch" is not a thing. Not even with HW vulnerabilities. Refrain from such articles.

Your apps don't talk to the HW directly, they talk to the OS. Patch the OS and you're done.
 

GoldenGoat

Posts: 61   +60
I wonder how much performance boost you get from speculative execution. I wonder if companies will ever offer a CPU without it, marketed as a secure CPU. If the performance hit weren't too extreme, I bet it would sell well in some markets.
 

HardReset

Posts: 1,679   +1,335
"Impossible to patch" is not a thing. Not even with HW vulnerabilities. Refrain from such articles.

Your apps don't talk to the HW directly, they talk to the OS. Patch the OS and you're done.
Yeah, just like with Spectre and Meltdown vulnerabilities. They just talk to OS so no problem 🤔
 

envirovore

Posts: 493   +920
TechSpot Elite
"not pose an immediate threat"
very carefully worded.

Probably need to have device at hand - to be fair - any criminal should encrypt damaging files - and be using good protocol - still probably hard not to leave trace evidence.

Big security risk - Is allows theft - and complete take over, wipe everything to say run linux, custom rom and sell on - maybe even still allow to keep as Apple product and bypass system checks

Does not need device in hand, they executed this over a network with device in another room.

More info on an official site set up by the researchers:
https://pacmanattack.com/
 

Hodor

Posts: 36   +24
"Impossible to patch" is not a thing. Not even with HW vulnerabilities. Refrain from such articles.
Your apps don't talk to the HW directly, they talk to the OS. Patch the OS and you're done.


Wrong. Machine code produced by the compiler "talks" directly to the CPU. Apps execute specific hardware instructions of the CPU. The OS is only needed for higher level services. But the app doesn't consist only from OS calls. It also has its own code that is OS independent and executes HW instructions.

Unless of course the app is written in some interpreted language, in which case there's an interpreter layer between the high-level instructions and CPU, which supports only a subset of instructions. Which would result in slow apps that can't be efficiently extended with new algorithms.
 

Gezzer

Posts: 272   +139
This simply brings home the old adage that the only really secure computer is one you unplug, and keep in a locked vault for good measure. Everyone needs to know and use good computing habits. Those that don't... well if they don't fall to this exploit they'll simply be the victim of another.
 

human7

Posts: 50   +33
I'm not an expert, but as far as I can tell from glancing through the paper, this exploit would be very difficult to take advantage of in the wild. The researchers even performed the experiments on their own custom built OS that can run on the M1 SOC to get by some of the limitations of working on a closed-source platform. Additionally, the researchers note that a memory corruption bug is required to even start the PACMAN exploit process. Still, this exploit does cause concerns from a server/ cloud hosting environment because it allows one in userspace access to kernel space, so even a virtualized system could be vulnerable (if I understand it correctly).
 

kiwigraeme

Posts: 1,118   +820
I'm not an expert, but as far as I can tell from glancing through the paper, this exploit would be very difficult to take advantage of in the wild. The researchers even performed the experiments on their own custom built OS that can run on the M1 SOC to get by some of the limitations of working on a closed-source platform. Additionally, the researchers note that a memory corruption bug is required to even start the PACMAN exploit process. Still, this exploit does cause concerns from a server/ cloud hosting environment because it allows one in userspace access to kernel space, so even a virtualized system could be vulnerable (if I understand it correctly).
I'm no expert either - but it allows a permanent foothold - when you see reviews of a lot of zero days - they chain a lot of things together - is rare I think for the 1 punch stuff .
If you say look at Nintendo switch - hacked older models - I think Nintendo could put in some software protection - but it was again broken - not my thing.

I think in reality for most uses -probably not an issue going forward - but it will be used by State operatives etc
 

human7

Posts: 50   +33
"Impossible to patch" is not a thing. Not even with HW vulnerabilities. Refrain from such articles.

Your apps don't talk to the HW directly, they talk to the OS. Patch the OS and you're done.
When I can download more RAM, then "impossible to patch" will not be a thing. The Mac OS isn't even needed to exploit this vulnerability, indeed, the researchers wrote their own OS compatible with the M1 to do their research. They did this because Mac OS is a closed source platform. No patch to the OS, no patch to any hypervisor between the user, hardware, and/or OS, no patch to any application, will prevent PACMAN on the M1.

The only protection is that in order to begin the exploit process, you have to have a memory corruption bug first. But those are so ubiquitous that it would be hard to program a toaster without having one.