Researchers from MIT discovered a new vulnerability in Apple's M1 chip. Joseph Ravichandran, Weon Taek Na and Weon Taek Na led the team that demonstrated how the attack, dubbed PACMAN, can bypass one of the M1 chips' deepest defenses. Although it sounds terrifying, it isn't as scary as it seems. Attackers can only use PACMAN in order to exploit a memory bug in the system. This can be fixed.
It is important to understand "pointers", which are the basic bits of code that a CPU uses in order to run your computer. It is the bit that points to another variable in memory. They allow the computer to perform operations without needing to use the entire variable. They can be compared to the index in a book. It's faster to scan an index of a book than the entire book if you need to verify that "coffee" has been mentioned. Pointers are a common attack vector because they are so crucial. You can manipulate the pointers to trick the CPU into doing certain things.
Ravichandran, one co-lead author of the paper, stated that pointer authentication made it much more difficult to attack certain bugs. PACMAN exploits these bugs.
Pointer authentication uses a 16-bit cryptographic haveh, called a Pointer Authentication code, or PAC, to protect pointers against being altered. To change a pointer's PAC value, an attacker must have it active. In order to do so, the system will crash.
PACMAN's biggest innovation is a method to brute force and determine the PAC values of a pointer without crashing it. Researchers call this the "PAC Oracle", and it can guess all 65,536 possible PAC value in less than three minutes without crashing any system. It performs these operations by running them as "speculative executs". This is where it does the operation in case it has to, but it doesn't actually follow through. So pointer authentication is never challenged. This is where the software bug must work.
Guessing the values is not enough. The PAC Oracle must also know when it correctly guesses. To determine if the TLB changes, it watches a hardware memory store called translation lookaside buffer (or PAC Oracle). It will not change if it makes a wrong guess. If it is right, it will alter one of the items stored in the TLB.
Once the PAC has been identified for a particular pointer, an attacker can use the existing software bug in order to take control of the kernel and do whatever they like. They can install malware or ransomware on your computer, take all your files and do whatever hackers want. These details may seem complicated, but they are actually very simple. For a complete explanation of PACMAN, see the research paper.
PACMAN is a serious vulnerability that can't be fixed or patched because it depends on the hardware features of M1 chips. However, it is important to remember that older chips are more secure than the M1 chip. To exploit this exploit, you must have an existing software bug that can be fixed. Pointer authentication protects your computer against any exploits that attempt to bypass it. Ravichandran said that "We have shown that pointer authentication is not as effective as we thought."
This is just part of the big cybersecurity game. There are always bugs and exploits that can be used to bypass any new security system. Researchers will discover new vulnerabilities and ways to circumvent attacks such as PACMAN in the next generation of chips.
There is no evidence that PACMAN has been used in the wild. It relies on an existing bug so it is best to keep your computer updated. This exploit is compatible with M1 chips. Although it has not been confirmed by the researchers that it works with M2 chips (which Apple recently introduced), they believe it to be possible.
The researchers alerted Apple to the problem last year. TechCrunch received a statement from Apple stating that the researchers had informed it about the issue. "This proof of concept has advanced our understanding of these techniques and we want to thank them for their cooperation." We concluded that this issue is not a risk to users and does not allow for the bypassing of operating system security protections based on our analysis.
Overall, it's probably an accurate assessment. Hacks and attacks are possible on all computers. This is another tool that bad actors can use and which chip engineers will need to fix. One mole gets whacked and another comes out.
