MIT researchers have disclosed an attack on Apple’s M1 processors that could allow attackers to run arbitrary code on macOS systems.
The researcher said the attack lies at the intersection of hardware and software attacks.
They named it PACMAN because the attack is rooted in Pointer Authentication Codes (PACs) – a security mechanism in the arm64e architecture.
The purpose of PACs is to protect against unexpected changes to pointers – programming variables that store memory addresses.
PACMAN exploits existing memory read and write bugs to bypass the pointer authentication security feature.
The attack combines these memory corruption techniques with speculative execution to bypass pointer authentication, which could lead to arbitrary code execution.
“[To execute code arbitrarily]we need to learn what the PAC value is for a given victim pointer,” the researchers said.
“PACMAN does this by creating what is known as a PAC oracle, which is the ability to detect whether a given PAC matches a given pointer.”
“The PAC Oracle must never crash when an incorrect estimate is provided. We then enforce all possible PAC values using the PAC Oracle.”
The researchers suppressed crashes by speculatively performing each PAC guess and using a microarchitectural side channel to learn if they guessed correctly.
The research team has not yet seen any cases of attacks in the wild and is reporting its findings to Apple.
“While the hardware mechanisms used by PACMAN cannot be patched with software features, bugs in memory can corrupt them,” the researchers said.
Subscribe to our daily newsletter