New PACMAN hardware attack targets Macs with Apple M1 CPUs

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
A new hardware attack targeting Pointer Authentication in Apple M1 CPUs with speculative execution enables attackers to gain arbitrary code execution on Mac systems.

Pointer Authentication is a security feature that adds a cryptographic signature, known as pointer authentication code (PAC), to pointers that allow the operating system to detect and block unexpected changes that would otherwise lead to data leaks or system compromise.

Discovered by researchers at MIT's Computer Science & Artificial Intelligence Laboratory (CSAIL), this new class of attack would allow threat actors with physical access to Macs with Apple M1 CPUs to access the underlying filesystem.

To do that, the attackers first need to find a memory bug affecting software on the targeted Mac that would be blocked by PAC and that can be escalated into a more severe security issue after bypassing PAC defenses.

"PACMAN takes an existing software bug (memory read/ write) and turns it into a more serious exploitation primitive (a pointer authentication bypass), which may lead to arbitrary code execution. In order to do this, we need to learn what the PAC value is for a particular victim pointer," the researchers explained.

"PACMAN does this by creating what we call a PAC Oracle, which is the ability to tell if a given PAC matches a specified pointer. The PAC Oracle must never crash if an incorrect guess is supplied. We then brute force all possible PAC values using the PAC Oracle."

While Apple can't patch the hardware to block attacks using this exploitation technique, the good news is that end-users don't need to be worried as long as they keep their software up to date and free of bugs that could be exploited to gain code execution using PACMAN.

"PACMAN is an exploitation technique- on its own it cannot compromise your system. While the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be," the researchers added.


While this attack would typically lead to a kernel panic, crashing the entire system, PACMAN ensures that no system crashes occur and leaves no traces in logs.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
8-Bit Love GIF by PAC-MAN™
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top