Attackers might use a novel hardware attack targeting Pointer Authentication (PAC) on the Apple M1 central processing unit (CPU) to gain arbitrary code execution on Mac systems.
Arbitrary code execution refers to a threat actor's ability to run commands or code on a target system, while pointer authentication codes are designed to detect and guard against unexpected changes to pointers in memory.
MIT's Computer Science & Artificial Intelligence Laboratory (CSAIL) scientists dubbed the new attack technique the PACMAN.
“PACMAN is what you get when you mix a hardware mitigation for software attacks with microarchitectural side channels. We believe the core idea of PACMAN will be applicable to much more than just PAC,” they said in a paper.
PACMAN is designed to forge kernel PACs from userspace on M1.
“Compromising the kernel means that an attacker can do anything you can do (eg. read any file, see browser data, etc.). PACMAN works across privilege levels, so it works on the kernel from user mode,” scientists said.
Researchers will demonstrate their findings later this month in the International Symposium on Computer Architecture forum.
The attack does not require physical access to the chip. Researchers did their experiments over the network on a machine in another room. PACMAN takes an existing software bug and turns it into a more serious exploitation primitive (a pointer authentication bypass,) which may lead to arbitrary code execution.
“In order to do this, we need to learn what the PAC value is for a particular victim pointer. PACMAN does this by creating what we call a PAC Oracle, which is the ability to tell if a given PAC matches a specified pointer. The PAC Oracle must never crash if an incorrect guess is supplied. We then brute force all possible PAC values using the PAC Oracle.”
MIT researchers have not witnessed this attack being used in the wild. They added that as long as users keep their software up to date, there’s no need to worry.
“As long as you keep your software up to date, no. PACMAN is an exploitation technique- on its own it cannot compromise your system. While the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be,” they said.
Researchers reported their findings and proof-of-concept code to Apple, and have been in talks with them since 2021.
More from Cybernews:
Subscribe to our newsletter