Apple’s M1 chip has been shown to contain a hardware vulnerability that can be exploited to disable one of its defense mechanisms against memory corruption, giving such attacks a greater chance of success.
Computer scientists from MIT CSAIL said on Friday that they have identified a way to circumvent the M1 chip’s pointer authentication, a security mechanism that tries to prevent an attacker from changing memory references without being detected.
In an article entitled “PACMAN: Attacking Arm Pointer Authentication with Speculative Execution”, Joseph Ravichandran, Weon Taek Na, Jay Lang and Mengjia Yan describe how they could use speculative execution – the way in which modern processors performed calculations before they may or may not be needed. needed to speed up execution – to distinguish pointer authentication code that allows pointer modification on a protected system.
A pointer is a variable that stores the memory address of another variable, and those who can manipulate pointers can potentially access sensitive data in memory and run arbitrary code.
Pointer authentication was implemented in 2017 in Armv8.3 [PDF] to protect the privacy of the pointer and was adopted by Apple in its arm-based chip designs 2018. It is found in Apple’s M1, M1 Pro and M1 Max silicon, and has been adopted by other arm-based chip manufacturers such as Qualcomm and Samsung.
Pointer authentication relies on a cryptographic hash called a Pointer Authentication Code (PAC) – derived from the pointer value, a 64-bit context value and a 128-bit secret key – to protect pointers from being altered. Because the address space used in 64-bit architecture is less than 64 bits – that’s 48 bits in macOS 12.2.1 on an M1 – the extra space can be used to store the PAC value, which can range from 11 to 31 bits.
When pointer authentication is active, an attacker must know the pointer’s PAC value after modification, otherwise the program will crash. A brute-force attack to find the PAC will not work because a bad guess will cause a crash, restore the hash value and force the attacker to restart.
Ravichandran and his colleagues have developed a PAC oracle – a feedback mechanism – that can be used to distinguish between correct and incorrect guesses without causing a program crash. This allows them to brute-force the possible values of about 2.94 minutes for a 16-bit PAC and to construct a control flow hijacking attack on an application or operating system that implements pee authentication.
“The key insight in our PACMAN attack is to use speculative execution to sneak PAC verification results via microarchitectural side channels,” the researchers say in their article.
The attack involves monitoring the interactions between translation lookaside buffers (TLB) and caches to measure conflicts, the researchers explain.
It relies on software “gadgets” – pre-existing instruction sequences in memory that can be linked together to perform desired functions. These are used to create a pointer verification function and a transfer function that speculatively sends the PAC verification result using a microarchitectural side channel.
The attack seems to work over privilege levels – the described scenario involves unprivileged user space that retrieves information from the core of the operating system. It relies on having a high-resolution timer that can be used to measure the latency between microarchitectural events.
“To carry out the PACMAN attack, you need an existing software vulnerability,” Ravichandran, a doctoral student at MIT CSAIL, said in an email to The register. “PACMAN bypasses pointer authentication, which is the last barrier to arbitrary code execution.”
“Executing arbitrary kernel code gives you basically unlimited access to the device, and the attacker can do whatever they want (essentially, they’ve got” root “access). Before you can do that, you need a software vulnerability to run PACMAN. the attack with a PACMAN gadget (a snippet of sacrificial code that can be used to carry out the PACMAN attack). “
Last year, Hector Martin, founder and project manager for Asahi Linux, reported an M1 error called M1RACLES it was not very significant. At the time, he also alluded to a second CVE affecting the M1 that was not revealed.
Ravichandran said that he and his colleagues had only found this one fault that affected the M1.
“We examined the M1 chip because it is the first desktop CPU that came with pointer authentication,” he said. “We revealed all our findings to Apple last year, but we do not know if they have mitigated anything or not.”
The article discusses potential limitations of PACMAN, such as pausing speculative execution with memory access and branch instructions, but notes that it may affect performance.
Ravichandran said he could not say whether Apple’s new M2 chip could be vulnerable because researchers have not had a chance to investigate.
“We believe it is possible that future Arm processors with pointer authentication and speculative execution may also be vulnerable to the PACMAN attack.”
The register asked Apple if it has addressed PACMAN in its M1 or M2, but we have not heard anything.
The PACMAN thesis is scheduled to be presented at the International Symposium on Computer Architecture in New York City on June 18. ®
#Vulnerability #detected #Apple #chip