MIT researchers have disclosed an attack against Apple’s M1 processors that could give attackers arbitrary code execution abilities on macOS systems.
The researcher said the attack lies in the intersection of hardware and software attacks.
They named it PACMAN since the attack is rooted in pointer authentication codes (PACs) — a security mechanism in arm64e architecture.
PACs’ purpose is to protect against unexpected changes to pointers — programming variables that store memory addresses.
PACMAN exploits existing memory read and writing bugs to bypass the pointer authentication security feature.
The attack combines these memory corruption techniques with speculative execution to circumvent pointer authentication, which could lead to arbitrary code execution.
“[To execute code arbitrarily], we need to learn what the PAC value is for a particular victim pointer,” the researchers said.
“PACMAN does this by creating what we call a PAC Oracle, which is the ability to tell if a given PAC matches a specified pointer.”
“The PAC Oracle must never crash if an incorrect guess is supplied. We then brute force all possible PAC values using the PAC Oracle.”
The researchers suppressed crashes by speculatively performing each PAC guess and using a microarchitectural side channel to learn whether they guessed correctly.
The research team have not seen any instances of the attacks occurring in the wild yet and reports their findings to Apple.
“While the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be,” the researchers said.