The New Spectre-Like 'PACMAN' Flaw Could Affect ARM-Based Chips (including Apple's M1) (mit.edu) 24
"Researchers at MIT have discovered an unfixable vulnerability in Apple Silicon that could allow attackers to bypass a chip's 'last line of defense'," writes the Apple Insider blog, "but most Mac users shouldn't be worried."
More specifically, the team at MIT's Computer Science & Artificial Intelligence Laboratory found that Apple's implementation of pointer authentication in the M1 system-on-chip can be overcome with a specific hardware attack they've dubbed "PACMAN." Pointer authentication is a security mechanism in Apple Silicon that makes it more difficult for attackers to modify pointers in memory. By checking for unexpected changes in pointers, the mechanism can help defend a CPU if attackers gain memory access.... The flaw comes into play when an attacker successfully guesses the value of a pointer authentication code and disables it.
The researchers found that they could use a side-channel attack to brute-force the code. PACMAN echoes similar speculative execution attacks like Spectre and Meltdown, which also leveraged microarchitectural side channels. Because it's a flaw in the hardware, it can't be fixed with a software patch.
[A]ctually carrying out the PACMAN attack requires physical access to a device, meaning the average Mac user isn't going to be at risk of exploit. The flaw affects all kinds of ARM-based chips — not just Apple's. The vulnerability is more of a technological demonstration of a wider issue with pointer authentication in ARM chips, rather than an issue that could lead to your Mac getting hacked.
MIT has made more information available at the site PACMANattack.com — including answers to frequently asked questions. Q: Is PACMAN being used in the wild?
A: No.
Q: Does PACMAN have a logo?
A: Yeah!
The MIT team says their discovery represents "a new way of thinking about how threat models converge in the Spectre era." But even then, MIT's announcement warns the flaw "isn't a magic bypass for all security on the M1 chip." PACMAN can only take an existing bug that pointer authentication protects against, and unleash that bug's true potential for use in an attack by finding the correct PAC. There's no cause for immediate alarm, the scientists say, as PACMAN cannot compromise a system without an existing software bug....
The team showed that the PACMAN attack even works against the kernel, which has "massive implications for future security work on all ARM systems with pointer authentication enabled," says Ravichandran. "Future CPU designers should take care to consider this attack when building the secure systems of tomorrow. Developers should take care to not solely rely on pointer authentication to protect their software."
TechCrunch obtained a comment from Apple: Apple spokesperson Scott Radcliffe provided the following: "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own."
The researchers found that they could use a side-channel attack to brute-force the code. PACMAN echoes similar speculative execution attacks like Spectre and Meltdown, which also leveraged microarchitectural side channels. Because it's a flaw in the hardware, it can't be fixed with a software patch.
[A]ctually carrying out the PACMAN attack requires physical access to a device, meaning the average Mac user isn't going to be at risk of exploit. The flaw affects all kinds of ARM-based chips — not just Apple's. The vulnerability is more of a technological demonstration of a wider issue with pointer authentication in ARM chips, rather than an issue that could lead to your Mac getting hacked.
MIT has made more information available at the site PACMANattack.com — including answers to frequently asked questions. Q: Is PACMAN being used in the wild?
A: No.
Q: Does PACMAN have a logo?
A: Yeah!
The MIT team says their discovery represents "a new way of thinking about how threat models converge in the Spectre era." But even then, MIT's announcement warns the flaw "isn't a magic bypass for all security on the M1 chip." PACMAN can only take an existing bug that pointer authentication protects against, and unleash that bug's true potential for use in an attack by finding the correct PAC. There's no cause for immediate alarm, the scientists say, as PACMAN cannot compromise a system without an existing software bug....
The team showed that the PACMAN attack even works against the kernel, which has "massive implications for future security work on all ARM systems with pointer authentication enabled," says Ravichandran. "Future CPU designers should take care to consider this attack when building the secure systems of tomorrow. Developers should take care to not solely rely on pointer authentication to protect their software."
TechCrunch obtained a comment from Apple: Apple spokesperson Scott Radcliffe provided the following: "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own."
From the paper (Score:2)
We demonstrate our attacks on the Apple M1 SoC (sometimes short- ened to M1), which is the first aarch64 desktop processor released to market that supports the ARM v8.3 architecture extensions. It is a non-trivial task to perform microarchitectural attacks on Apple platforms due to the closed-source and undocumented nature of both the macOS operating system and the M1 processor.
So I'm left curious just how much of an issue this actually is. The authors themselves had to build their own OS to demonstrate the issue.
Re: (Score:2)
It’s not much of an issue. Remember Meltdown and Spectre? Not a single documented successful exploit in the wild.
Re: (Score:2)
Re: (Score:2)
Patch effectiveness is debatable [techrepublic.com]. The reality is that these vulnerabilities are so difficult to exploit that it's not worth the effort to threat actors.
When it comes to vulnerabilities there is a huge difference between severity and exploitability. A high severity vulnerability like Meltdown/Spectre has very low exploitability due to its difficulty. Meanwhile, lower severity vulnerabilities with higher exploitability are more likely to be targeted by attackers since they require much less effort to compromi
No physical access required. (Score:2)
Does this attack require physical access?
Nope! We actually did all our experiments over the network on a machine in another room. PACMAN works just fine remotely if you have unprivileged code execution.
Pac-Man is NOT a remote exploit. It still requires intrusion to be done beforehand to plant the Pac-Man code
Re: (Score:2)
So I'm left curious just how much of an issue this actually is.
The admins seem to think it's a pretty big deal since they've posted the exact same story twice.
where have I heard about this before? (Score:5, Insightful)
oh yeah, the previous article on the front page
Re: (Score:3)
On the plus side, this one is far more honest about the actual threat and far less sensationalist as a result. Whoever wrote this one up did a much better job.
Re: (Score:2)
Slashdot is famous for dupes, but it's rare to have the same story posted twice in a row. In fact I can't remember the last time... Probably back in the early to mid 2000s.
Re: (Score:2)
Re: where have I heard about this before? (Score:2)
Before it jumped the ponies
Re: (Score:3)
Re: (Score:1)
Holy shit, another one? (Score:3)
Wow, this is just minutes from the other M1 vulnerability posted on Slashdot!
Dupe Dope (Score:3)
New Dupe-Like 'DUPE' Flaw Could Affect DUPE-Based Chips 'n' Dips (including Slashdot''s Dupe).
Wow, this is a new low (Score:2)
Today Slashdot has the same story twice, one directly above the other, from two different sources, posted about an hour and a half apart. Even a cursory glance at the tile, (or the first line of the summary), makes the duplication obvious.
Re: (Score:2)
This raises the question - why was BeauHD asleep at the switch? He failed to complete what would've been an epic Slashdot Trifecta.
Re: (Score:2)
meh.
They double posted one I submitted. I only submitted it once, but two different editors posted that same submission . . .
And it seems to me that I've seen consecutive dupes before, several years ago.
hawk
New record! (Score:3)
Twice in a row is great, but if you publish the same story once again it will be LEGENDARY!!
Re: (Score:2)
Beau can do it! We have faith!
PACMAN attack of slashdot (Score:2)
Someone used the PACMAN flaw on slashdot so that the article is posted again immediately.
DUPEMAN (Score:2)