However, researchers from the Computer Science and Artificial Intelligence Laboratory at MIT have developed a novel hardware attack. This attack sidesteps the security feature by combining memory corruption and speculative execution attacks. The attack demonstrates that pointer authentication can be broken without leaving a trace, and because it makes use of a hardware mechanism, it cannot be fixed with a software patch because the mechanism itself is the problem.
This attack, which has been given the apt name “Pacman,” is carried out by “guessing” a pointer authentication code (PAC), which is a cryptographic signature that verifies that an application has not been altered in a malicious way. In order to accomplish this, speculative execution, which is a method that modern computer processors use to increase performance by speculatively guessing various lines of computation, is employed to leak PAC verification results, while a hardware side-channel reveals whether or not the guess was accurate.
The researchers also discovered that it is possible to try all of the possible values for PAC in order to find the correct one. This is because there are only a limited number of values that can be used for the PAC.
In a proof of concept, the researchers demonstrated that the attack even works against the kernel, which is the software core of an operating system for a device. This has “massive implications for future security work on all ARM systems with pointer authentication enabled,” according to Joseph Ravichandran, a Ph.D. student at MIT CSAIL and co-lead author of the research paper. Joseph Ravichandran is also a co-author of the research paper.
Ravichandran went on to say that “the concept behind pointer authentication is that even if everything else has failed, you can still rely on it to prevent attackers from gaining control of your system.” He explained this concept as follows: “We’ve demonstrated that using pointer authentication as a final line of defense isn’t as foolproof as we had previously believed it to be,”
Apple has already implemented pointer authentication on all of its custom ARM-based silicon, including the M1, M1 Pro, and M1 Max. A number of other chip manufacturers, including Qualcomm and Samsung, have either announced or are expected to ship new processors supporting the hardware-level security feature. Apple has already implemented pointer authentication on all of its custom ARM-based silicon. The Massachusetts Institute of Technology (MIT) stated that it has not yet tested the attack on Apple’s M2 chip, which also supports pointer authentication.
According to the research paper published by MIT, “If not mitigated, our attack will affect the majority of mobile devices, and likely even desktop devices in the coming years.”
The researchers, who then presented their findings to Apple, made the observation that the Pacman attack is not a “magic bypass” for all of the security on the M1 chip and that it can only take advantage of an existing flaw that pointer authentication safeguards against.
Apple refused to comment on the record when they were contacted before the article was published. Following the article’s publication, a spokesperson for Apple, named Scott Radcliffe, offered the following statement: “We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques.” According to our research as well as the information that was provided to us by the researchers, we have come to the conclusion that this vulnerability does not pose an immediate risk to our users and is not sufficient to bypass the security protections provided by the operating system on its own.
A developer made the discovery in May of last year that Apple’s M1 chip contains an exploit that cannot be fixed. This exploit creates a covert channel that two or more already-installed malicious applications can use to communicate with one another and share information. The flaw, however, was eventually deemed “harmless” because malicious software cannot use it to steal data from a Mac or interfere with data that is already there.