Apparently, bad actors can exploit memory corruption vulnerabilities in software and weaknesses in microprocessor design to circumvent pointer authentication codes. Memory corruption vulnerabilities are caused by bugs that enable a hacker to mess with the content of a memory location and hijack a program’s flow of execution. Arm, which makes blueprints for chips, introduced Pointer Authentication or PA to protect pointer integrity. PA makes it harder for attackers to modify memory pointers stealthily.
That’s where the PACMAN attack comes in. It goes a step further by constructing a PAC oracle which can be used to distinguish between a correct PAC and an invalid one without causing any crashes. The researchers have shown that such a PAC oracle can be used to brute-force the correct value and gain access to a program or operating system, which in this case is macOS.
Since this is a hardware attack, it cannot be addressed with a security patch. Mac users do not need to be alarmed though, as this attack can only be launched if there also exists an exploitable memory corruption vulnerability. Furthermore, TechCrunch reached out to Apple for its comments and the Cupertino giant replied that there is no immediate risk to users:
The main thing to note here is that the operations necessary to carry out the PACMAN attack will not lead to architecture-visible events and this would help an attacker avoid the issue where incorrect guesses lead to a crash. The team has also shown that the attack works across privilege levels, meaning it could be used to attack the operating system kernel, which is the core of an operating system. The vulnerability is not only found in the M1 but also in its beefed-up versions, the M1 Pro and M1 Max.
Apple’s M1 processor is a game-changer, as it is the first Arm-based computer chip to deliver both high performance and long battery life. It’s also the first desktop CPU to enable Pointer Authentication, a security feature. This function can be disabled, according to MIT researchers.
PA uses a cryptographic hash called Pointer Authentication Code, or PAC, to ensure a pointer has not been modified. To bypass such a system, an attacker would need to guess a PAC value. The size of the PAC is sometimes small enough to be “bruteforced,” or cracked with trial and error. A simple bruteforcing approach won’t be enough to break PA though, as every time an incorrect PA is entered, the program crashes.
We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”