Apple M1 Affected By "PACMAN" Hardware Vulnerability In Arm Pointer Authentication

MIT CSAIL today is lifting the embargo on a new hardware vulnerability affecting the Apple M1 SoCs (no word yet on exposure with the recently announced Apple M2) and dubbed the "PACMAN" attack.

Researchers from MIT found that the Arm Pointer Authentication functionality within the M1 can be defeated and without traces. The researchers allege, "PACMAN utilizes a hardware mechanism, so no software patch can ever fix it." With Arm Pointer Authentication still being new and only added to the Armv8.3-A specification, it will be interesting to see if similar Arm SoCs also prove vulnerable to this particular attack.

Some additional details on the M1 PACMAN attack going out now in a press release with the embargo just lifted:

A pointer authentication code, or “PAC” for short, is a signature that confirms that the state of the program hasn’t been changed maliciously. Enter the PACMAN attack. The team showed that it's possible to "guess" a value for the PAC, and reveal whether the guess was correct or not via a hardware side channel. And since there are only so many possible values for the PAC, they found that it's possible to try them all to find the correct one. Most importantly, since the guesses all happen under speculative execution, the attack leaves no trace.

“The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system. We've shown that pointer authentication as a last line of defense isn't as absolute as we once thought it was,” says MIT CSAIL PhD student Joseph Ravichandran, co-lead author of a new paper about PACMAN. “When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks. With PACMAN making these bugs more serious, the overall attack surface could be a lot larger.”
...
The team wanted to see what combining the two might achieve – taking something from the software security world, and breaking a mitigation (a feature that’s designed to protect software), using hardware attacks. “That's the heart of what PACMAN represents - a new way of thinking about how threat models converge in the Spectre era,” says Ravichandran.

PACMAN isn't a magic bypass for all security on the M1 chip. PACMAN can only take an existing bug that pointer authentication protects against, and unleash that bug's true potential for use in an attack by finding the correct PAC.

The PACMAN research paper concludes, "We have presented PACMAN, a novel speculative execution attack against ARM Pointer Authentication. We have reverse engineered the TLB organizations on Apple M1 and have demonstrated multiple proof-of-concept attacks that work across privilege levels. We believe that this attack has important implications for designers looking to implement future processors featuring Pointer Authentication, and has broad implications for the security of future control-flow integrity primitives."

PACMAN is the latest vulnerability discovered by scientists at MIT from their Computer Science & Artificial Intelligence Lab (CSAIL). (Picture: MIT Stata Center back during the days of building a solar-powered Arm cluster.)

The MIT CSAIL scientists will be presenting their M1 "PACMAN" attack on 18 June at the International Symposium on Computer Architecture.

Will update when receiving the finalized link for the PACMAN attack research paper.