Security researchers at MIT have discovered a hardware vulnerability in a security mechanism of Arm chips like Apple’s M1 soc. They describe how it can be exploited in an attack to bypass the memory protection.
The researchers from the MIT Computer Science & Artificial Intelligence Laboratory describe in a paper how they managed to identify the so-called Bypass pointer authentication of Arm chips using speculative execution. They demonstrate their findings with an attack on the memory protection of an M1 soc from Apple. The researcher reports to The Register that opted for the M1 because this is the first desktop processor with Arm Pointer Authentication.
This security technique has been present in the chip architecture since 2017 with the arrival of Armv8.3. There is a good chance that other Armsocs such as Qualcomm and Samsung are also vulnerable. A pointer refers to memory addresses and manipulation allows potentially sensitive data to be retrieved and code to be executed. Cryptographic signatures called pointer authentication codes, or PACs, should prevent tampering.
The MIT researchers used a side-channel attack to get the results of the PAC verification. In doing so, they used the speculative execution engine to “guess” values. Processors work with speculative execution to have the outcome of calculations ready before they are actually needed, in order to speed up the final processing. This trait was also used for attacks in Specter and Meltdown.
Performing a Pacman attack requires a pre-existing software vulnerability, which mitigates the impact somewhat. Once executed, it is possible to execute kernel-level code and take over a system completely, the researchers said. They will demonstrate their attack at the International Symposium on Computer Architecture in New York, which begins June 18.