PACMAN M1 Chip Attack Explained

Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.

Author: Dalibor Gašić / Last Updated: 7/31/2022

Reviewed By: Josh Allen, & Michael Swanagan, CISSP, CISA, CISM

View Our: Editorial Process

Summary Of The Attack

• The team at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have discovered a way to attack the pointer authentication in Apple’s M1 chip to execute arbitrary code on Macintosh systems.
• The attack does not require physical access to the chip. Researchers did their experiments over the network on a machine in another room.
• The team disclosed the vulnerability to Apple several months in advance, so it has engaged in responsible disclosure.
• The team hasn’t filed a Common Vulnerabilities and Exposures (CVE) number but plans to file one soon.
• The most interesting part of this whole story is that Apple won’t be able to fix this issue. According to the company, it doesn’t pose a threat because it depends on other vulnerabilities to work

What Is The M1 Chip Vulnerability?

In November 2020, Apple’s M1 processor caused quite a positive stir when it was launched.

With its incredible performance and first place on the list of all processors, including Intel and AMD, for low power consumption, it took first place on all benchmark lists and tests.

The lack of serious attacks since the launch nearly two years ago suggests that the security systems, including a last line of defense called Pointer authentication codes, are working well.

But unfortunately, as we know in our cyber world, there is always a vulnerability that wreaks havoc.

How Does The M1 Chip Attack Work?

The team at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have discovered a way to attack the pointer authentication in Apple’s M1 chip to execute arbitrary code on Macintosh systems.

Check out the paper and read all about the PACMAN attack here: https://t.co/6Kz3jnRtwI

Shout out to my co-lead author Weon and co authors Jay and Mengjia (my advisor). This was such a fun first PhD project and I can’t wait to hack on more stuff!

— Joseph Ravichandran (@0xjprx) June 10, 2022

The team says that the vulnerability is found in other ARM chips, not just the M1 – but it hasn’t yet had the chance to try it against the M2.

In order to get a little closer to this attack and what is the main characteristic and basis of the attack, we have to mention the PAC itself.

Pointer Authentication is a security feature that adds a cryptographic signature to operating system pointers, named Pointer Authentication Code (PAC).

This allows the OS to spot and block unexpected changes that may lead to data leaks.

PACMAN Vs. M1

Researchers from MIT’s CSAIL have uncovered this new class of attack that would allow individuals with malicious intent to gain physical access to Macintosh devices with M1 CPUs to access the underlying file system.

• The attackers first find a memory bug in the attacked Mac’s software, which is blocked by PAC, and escalate to a more serious vulnerability after bypassing the PAC defenses.
• The attack is an exploitation technique, but it has no impact on the system itself. While there is no solution for the hardware mechanisms used in the attack, software-based memory corruption issues can be patched.
• The attack would result in a kernel that crashes the entire system. In addition, the PACMAN attack ensures that no system crash occurs and no traces are left in the logs.

The attack does not require physical access to the chip.

Researchers did their experiments over the network on a machine in another room.

PACMAN takes an existing software bug and turns it into a more serious exploitation primitive (a pointer authentication bypass) which may lead to arbitrary code execution.

“In order to do this, we need to learn what the PAC value is for a particular victim pointer. PACMAN does this by creating what we call a PAC Oracle, which is the ability to tell if a given PAC matches a specified pointer. The PAC Oracle must never crash if an incorrect guess is supplied. We then brute force all possible PAC values using the PAC Oracle.”

The team disclosed the vulnerability to Apple several months in advance, so it has engaged in responsible disclosure.

However, the team hasn’t filed a Common Vulnerabilities and Exposures (CVE) number but plans to file one soon.

The MIT researchers have not witnessed this attack being used in the wild. They added that there is no need to worry as long as users keep their software up to date.

Apple’s Response & Mitigation Steps

Apple’s product team responded as follows:

“We’d like to thank the researchers for their collaboration as this proof-of-concept improves our understanding of these techniques. Based on our analysis and the details shared with us by the researchers, we’ve concluded that this issue doesn’t pose an immediate risk to our users and isn’t sufficient to bypass device protection on its own.”

The most interesting part of this whole story is that Apple won’t be able to fix this issue. According to the company, it doesn’t pose a threat because it depends on other vulnerabilities to work.

However, if you keep your device updated, you can protect yourself from it, as the attack, called PACMAN, uses flaws that can be exploited to trigger pointer authentication.

Thus, by itself, PACMAN cannot compromise your computer, but it builds on other flaws to cause further problems.

Related Articles:

• How To Develop An Effective Cyber Security Strategy
• How To Manage Your Network Security In 8 Steps
• How To Conduct A Security Risk Assessment
• Top 10 Benefits Of Vulnerability Management
• Free Data Security Policy Template (Updated 2022)