New Spectre-Like 'PACMAN' Flaw Could Affect ARM-Based Chips (including Apple's M1)

'Researchers at MIT have discovered an unfixable vulnerability in Apple Silicon that could allow attackers to bypass a chip's 'last line of defense',' writes the Apple Insider blog, 'but most Mac users shouldn't be worried.'

More specifically, the team at MIT's Computer Science & Artificial Intelligence Laboratory found that Apple's implementation of pointer authentication in the M1 system-on-chip can be overcome with a specific hardware attack they've dubbed 'PACMAN.' Pointer authentication is a security mechanism in Apple Silicon that makes it more difficult for attackers to modify pointers in memory. By checking for unexpected changes in pointers, the mechanism can help defend a CPU if attackers gain memory access.... The flaw comes into play when an attacker successfully guesses the value of a pointer authentication code and disables it.

The researchers found that they could use a side-channel attack to brute-force the code. PACMAN echoes similar speculative execution attacks like Spectre and Meltdown, which also leveraged microarchitectural side channels. Because it's a flaw in the hardware, it can't be fixed with a software patch.

[A]ctually carrying out the PACMAN attack requires physical access to a device, meaning the average Mac user isn't going to be at risk of exploit. The flaw affects all kinds of ARM-based chips — not just Apple's. The vulnerability is more of a technological demonstration of a wider issue with pointer authentication in ARM chips, rather than an issue that could lead to your Mac getting hacked.
MIT has made more information available at the site PACMANattack.com — including answers to frequently asked questions.

Q: Is PACMAN being used in the wild?
A: No.
Q: Does PACMAN have a logo?
A: Yeah!

The MIT team says their discovery represents 'a new way of thinking about how threat models converge in the Spectre era.' But even then, MIT's announcement warns the flaw 'isn't a magic bypass for all security on the M1 chip.'

PACMAN can only take an existing bug that pointer authentication protects against, and unleash that bug's true potential for use in an attack by finding the correct PAC. There's no cause for immediate alarm, the scientists say, as PACMAN cannot compromise a system without an existing software bug....

The team showed that the PACMAN attack even works against the kernel, which has 'massive implications for future security work on all ARM systems with pointer authentication enabled,' says Ravichandran. 'Future CPU designers should take care to consider this attack when building the secure systems of tomorrow. Developers should take care to not solely rely on pointer authentication to protect their software.'

TechCrunch obtained a comment from Apple:

Apple spokesperson Scott Radcliffe provided the following: 'We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.'

Read more of this story at Slashdot.