Arm, which makes blueprints for chips, introduced Pointer Authentication, or PA, to protect pointer integrity. PA makes it more difficult for attackers to covertly modify memory pointers.
That’s where the PACMAN attack comes in. It takes it a step further by building a PAC oracle that can be used to distinguish between a correct PAC and an invalid one without causing crashes.
The researchers have shown that such a PAC oracle can be used to brute-force the correct value and access a program or operating system, in this case macOS.
The important thing to note here is that the operations required to perform the PACMAN attack will not lead to architecture visible events and this would help an attacker avoid the problem where incorrect guesses lead to a crash.
The problem with attacking PAC is that it is impossible to bruteforce without causing crashes (in our case kernel panics). But what if there was a way to suppress crashes…?
— Joseph Ravichandran (@0xjprx) June 10, 2022
The team has also shown that the attack works at different privilege levels, meaning it can be used to attack the operating system kernel, the core of an operating system. The vulnerability is not only found in the M1, but also in the beefed-up versions, the M1 Pro and M1 Max.
Since this is a hardware attack, it cannot be addressed with a security patch. Mac users need not be alarmed, however, as this attack can only be carried out if a memory corruption vulnerability also exists.
We would like to thank the researchers for their collaboration as this proof of concept enhances our understanding of these techniques. Based on our analysis and the details the researchers have shared with us, we have concluded that this issue poses no direct risk to our users and is insufficient to circumvent operating system security measures alone.”
- Protect your privacy with ExpressVPN: Get ExpressVPN for iPhone, Android, Mac or PC