Apple says users don't have to worry about unpatchable chip errors (for now)

Apple’s M1 chip is a game-changer because it’s the first Arm-based chip intended for computers to deliver impressive performance and battery life at the same time. It is also the first desktop processor to support a security feature called Pointer Authentication. MIT researchers have discovered that this feature can be bypassed.

Apparently, attackers can exploit memory corruption vulnerabilities in software and weaknesses in microprocessor design to bypass pointer authentication codes. Memory corruption vulnerabilities are caused by bugs that allow a hacker to tamper with the contents of a memory location and hijack program execution.

Arm, which makes blueprints for chips, introduced Pointer Authentication, or PA, to protect pointer integrity. PA makes it more difficult for attackers to covertly modify memory pointers.

PA uses a cryptographic hash called Pointer Authentication Code, or PAC, to ensure that a pointer has not been modified. To get around such a system, an attacker would have to guess a PAC value. The size of the PAC is sometimes small enough to be ‘brute-forced’ or crack through trial and error. However, a simple brute force approach will not be enough to break PA, as every time an incorrect PA is entered, the program crashes.

That’s where the PACMAN attack comes in. It takes it a step further by building a PAC oracle that can be used to distinguish between a correct PAC and an invalid one without causing crashes.

The researchers have shown that such a PAC oracle can be used to brute-force the correct value and access a program or operating system, in this case macOS.

The important thing to note here is that the operations required to perform the PACMAN attack will not lead to architecture visible events and this would help an attacker avoid the problem where incorrect guesses lead to a crash.

The problem with attacking PAC is that it is impossible to bruteforce without causing crashes (in our case kernel panics). But what if there was a way to suppress crashes…?

— Joseph Ravichandran (@0xjprx) June 10, 2022

The team has also shown that the attack works at different privilege levels, meaning it can be used to attack the operating system kernel, the core of an operating system. The vulnerability is not only found in the M1, but also in the beefed-up versions, the M1 Pro and M1 Max.

Since this is a hardware attack, it cannot be addressed with a security patch. Mac users need not be alarmed, however, as this attack can only be carried out if a memory corruption vulnerability also exists.

Further, TechCrunch contacted Apple for his comments and the Cupertino giant replied that there is no direct risk to users:

We would like to thank the researchers for their collaboration as this proof of concept enhances our understanding of these techniques. Based on our analysis and the details the researchers have shared with us, we have concluded that this issue poses no direct risk to our users and is insufficient to circumvent operating system security measures alone.”

Still, this isn’t something that can be brushed off as insignificant. Many chip makers, including Qualcomm and Samsung, have unveiled or are expected to introduce processors with Pointer Authentication.