Researchers with MIT’s Computer Science and Artificial Intelligence Laboratory have discovered a flaw in Apple’s ARM-based M1 chips, a seemingly significant one that has been described by the researchers as “unpatchable.” The attack is dubbed “Pacman,” a reference to the way it works by “guessing” a pointer authentication code (PAC), a type of cryptographic signature used to confirm that an app hasn’t been altered for malicious purposes, using speculative execution. Pointer authentication has been implemented in all of Apple’s custom ARM-based silicon released thus far, including the M1, M1 Pro and M1 Max. Apple has shared a statement that suggests the finding is not a serious issue.
“We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques,” spokesperson Scott Radcliffe said in a statement. “Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”
The vulnerability lies in a hardware-level security mechanism utilized in Apple M1 chips called pointer authentication codes, or PAC. This feature makes it much harder for an attacker to inject malicious code into a device’s memory and provides a level of defense against buffer overflow exploits, a type of attack that forces memory to spill out to other locations on the chip.
Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory, however, have created a novel hardware attack, which combines memory corruption and speculative execution attacks to sidestep the security feature. The attack shows that pointer authentication can be defeated without leaving a trace, and as it utilizes a hardware mechanism, no software patch can fix it.