Previous
Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.
Author: Dalibor Gašić / Last Updated: 7/31/2022
Reviewed By: Josh Allen, & Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Table Of Contents
In November 2020, Apple’s M1 processor caused quite a positive stir when it was launched.
With its incredible performance and first place on the list of all processors, including Intel and AMD, for low power consumption, it took first place on all benchmark lists and tests.
The lack of serious attacks since the launch nearly two years ago suggests that the security systems, including a last line of defense called Pointer authentication codes, are working well.
But unfortunately, as we know in our cyber world, there is always a vulnerability that wreaks havoc.
The team at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have discovered a way to attack the pointer authentication in Apple’s M1 chip to execute arbitrary code on Macintosh systems.
Check out the paper and read all about the PACMAN attack here: https://t.co/6Kz3jnRtwI
Shout out to my co-lead author Weon and co authors Jay and Mengjia (my advisor). This was such a fun first PhD project and I can’t wait to hack on more stuff!
— Joseph Ravichandran (@0xjprx) June 10, 2022
The team says that the vulnerability is found in other ARM chips, not just the M1 – but it hasn’t yet had the chance to try it against the M2.
In order to get a little closer to this attack and what is the main characteristic and basis of the attack, we have to mention the PAC itself.
Pointer Authentication is a security feature that adds a cryptographic signature to operating system pointers, named Pointer Authentication Code (PAC).
This allows the OS to spot and block unexpected changes that may lead to data leaks.
How PurpleSec Helps To Secure Your Organization
Our vulnerability management services and penetration testing services provide a holistic approach to securing what’s most important to you.
Researchers from MIT’s CSAIL have uncovered this new class of attack that would allow individuals with malicious intent to gain physical access to Macintosh devices with M1 CPUs to access the underlying file system.
The attack does not require physical access to the chip.
Researchers did their experiments over the network on a machine in another room.
PACMAN takes an existing software bug and turns it into a more serious exploitation primitive (a pointer authentication bypass) which may lead to arbitrary code execution.
“In order to do this, we need to learn what the PAC value is for a particular victim pointer. PACMAN does this by creating what we call a PAC Oracle, which is the ability to tell if a given PAC matches a specified pointer. The PAC Oracle must never crash if an incorrect guess is supplied. We then brute force all possible PAC values using the PAC Oracle.”
The team disclosed the vulnerability to Apple several months in advance, so it has engaged in responsible disclosure.
However, the team hasn’t filed a Common Vulnerabilities and Exposures (CVE) number but plans to file one soon.
The MIT researchers have not witnessed this attack being used in the wild. They added that there is no need to worry as long as users keep their software up to date.
Apple’s product team responded as follows:
“We’d like to thank the researchers for their collaboration as this proof-of-concept improves our understanding of these techniques. Based on our analysis and the details shared with us by the researchers, we’ve concluded that this issue doesn’t pose an immediate risk to our users and isn’t sufficient to bypass device protection on its own.”
The most interesting part of this whole story is that Apple won’t be able to fix this issue. According to the company, it doesn’t pose a threat because it depends on other vulnerabilities to work.
However, if you keep your device updated, you can protect yourself from it, as the attack, called PACMAN, uses flaws that can be exploited to trigger pointer authentication.
Thus, by itself, PACMAN cannot compromise your computer, but it builds on other flaws to cause further problems.
Related Articles:
Dalibor is a Senior Security Engineer with experience in penetration testing having recently served over 8 years in the Ministry of Internal Affairs in the Department of Cyber Security in Serbia.